Perform these three rapid checks before moving to advanced troubleshooting.
| Cause | Description | |-------|-------------| | | Gateway uses a self-signed cert not installed on the client device. | | Missing intermediate CA | The full certificate chain is not present on the client. | | Expired certificate | Gateway’s certificate is past its validity period. | | Hostname mismatch | Client connects to vpn.company.com , but certificate is for gateway.company.com . | | Untrusted root CA | The root CA that signed the gateway’s cert is not in the client’s trusted store. | | Revoked certificate | Certificate is revoked and client checks CRL/OCSP (often fails if CRL endpoint unreachable). | | System time wrong | Client date/time is outside certificate’s validity window. | | Corporate proxy/SSL inspection | Proxy intercepts traffic and presents its own certificate, which the client doesn’t trust for GlobalProtect. | globalprotect vpn failed to verify certificate
: Go to System Preferences > Date & Time and ensure "Set date and time automatically" is checked. 2. Verify the Portal Address in a Browser Perform these three rapid checks before moving to
: The server address you are connecting to doesn't match the Common Name (CN) or Subject Alternative Name (SAN) on the certificate. | | Expired certificate | Gateway’s certificate is
GlobalProtect is paranoid by design—and that’s a good thing. When your laptop tries to connect to the VPN gateway, it performs a handshake. The server presents a digital certificate (like a digital passport). Your laptop checks three things: