Came across this while rolling about Palo Alto GlobalProtect.  The knowledge base article suggests installing the cert in the browser’s store, which isn’t really helpful in understanding what the cause or solution was in my case.


There’s also its cousin, which complains about a missing client certificate when connecting to the Gateway:


The problem lies in the Certificate profile configuration.  I had understood this to be a way to chain intermediate certs; in fact, that happens automatically.  Rather, this setting controls the CA for client side certs.  If if you’re not using client side certs, the configuration needs to be as follows:

In the GlobalConnect Portal configuration, Authentication tab, Certificate Profile should be “None”


In the GlobalConnect Gateway configuration, Authentication tab, Certificate Profile needs to be set to the CA that issued the server SSL/TLS cert.  If you are planning to really use client-side certs, then the Certificate Profile should be set to their CA.