https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-certificates-and-ssl-decryption/m-p/418848#M1507 <P>Hi All,</P><P>&nbsp;</P><P>I have configured GP in PreLogon mode so there is a machine certificate deployed.</P><P>&nbsp;</P><P>My certificates are locally generated on the Palo Alto. The Local CA certificate is due to expire and the SubCA expires shortly after. What will happen to user connections if I renew both certificates for another year using the renew button. Am I going to have to export the new certificate to all devices that connect using GP PreLogon? Just being cautious to not prevent outage.</P><P>&nbsp;</P><P>Also, with the same Local CA - is it okay to create further SubCA for SSL Forward Encrypt and Forward Decrypt? Apologies for a simple question, I cannot have an outage on this user so just validating my thoughts (which is yes).</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Adrian</P> Tue, 13 Jul 2021 13:14:28 GMT a.jones 2021-07-13T13:14:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-certificates-and-ssl-decryption/m-p/418848#M1507 <P>Hi All,</P><P>&nbsp;</P><P>I have configured GP in PreLogon mode so there is a machine certificate deployed.</P><P>&nbsp;</P><P>My certificates are locally generated on the Palo Alto. The Local CA certificate is due to expire and the SubCA expires shortly after. What will happen to user connections if I renew both certificates for another year using the renew button. Am I going to have to export the new certificate to all devices that connect using GP PreLogon? Just being cautious to not prevent outage.</P><P>&nbsp;</P><P>Also, with the same Local CA - is it okay to create further SubCA for SSL Forward Encrypt and Forward Decrypt? Apologies for a simple question, I cannot have an outage on this user so just validating my thoughts (which is yes).</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Adrian</P> Tue, 13 Jul 2021 13:14:28 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-certificates-and-ssl-decryption/m-p/418848#M1507 a.jones 2021-07-13T13:14:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-certificates-and-ssl-decryption/m-p/418959#M1508 <P>for your pre-logon...&nbsp; &nbsp;are you talking about exporting a new machine cert as i was never aware that the root or subca needed to be exported for pre-logon to work...</P> Tue, 13 Jul 2021 15:20:20 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-certificates-and-ssl-decryption/m-p/418959#M1508 Mick_Ball 2021-07-13T15:20:20Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-certificates-and-ssl-decryption/m-p/427272#M1618 <P>I played about with this and came up with a solution. The certificate extension using the renew button had no impact on my user connections but had to be pushed out to users.</P><P>&nbsp;</P><P>I created the Root cert for SSL decryption and the intermediates for Decrption Forward Trust and Untrust. All worked well. I also created a seperate certificate for the new Machine Cert and this tested okay. Simplified the solution and labelled the certs so there is better understanding for other engineers.</P> Tue, 17 Aug 2021 08:22:33 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-certificates-and-ssl-decryption/m-p/427272#M1618 a.jones 2021-08-17T08:22:33Z