Symptoms: browser shows a corporate CA in certificate chain (not original CA), or error only occurs on office network. Fix:
If your computer’s date or time is off by even a few minutes, the certificate will appear "expired" or "not yet valid."
Fix: Sync your system clock.
Still stuck? Run through this:
| Step | Action |
|------|--------|
| ✅ | Is your system date/time correct? |
| ✅ | Can you browse to https://your-vpn-gateway.com in a browser? (Check for browser security warnings) |
| ✅ | Did you recently update your OS or antivirus? |
| ✅ | Have you tried the Refresh button in GlobalProtect settings? |
| ✅ | When in doubt, uninstall the GlobalProtect app, reboot, and reinstall fresh. |
If the client’s system date/time is wrong, certificate validity dates will fail.
Solution:
GlobalProtect is paranoid by design—and that’s a good thing. When your laptop tries to connect to the VPN gateway, it performs a handshake. The server presents a digital certificate (like a digital passport). Your laptop checks three things:
If any of those three checks fail, you get the error.
Mark the root certificate as Always Trust in Keychain Access. globalprotect vpn failed to verify certificate
If the quick checks fail, we must dig deeper based on your operating system.
Log into the Palo Alto Firewall (Panorama or local GUI):