https://live.paloaltonetworks.com/t5/globalprotect-discussions/portal-gateway-certificate-renewals-automation/m-p/1250878#M7327 <P>Thanks for the tips and links, Tom. I'll look into them and see if I can make it work.At least there's a starting point, and even if I am not real savvy on the code side, I have people who are and can probably help</P> <P>&nbsp;</P> <P>It's a shame that PA can't/won't build this into the product automatically - a security company who can't simplify maintaining one of the core requirements for security is not real impressive.</P> Tue, 24 Mar 2026 23:38:45 GMT darren_g 2026-03-24T23:38:45Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/portal-gateway-certificate-renewals-automation/m-p/1250800#M7325 <P>Greetings</P> <P>&nbsp;</P> <P>With the continued push for shorter and shorter SSL certificate validation periods coming rapidly to a head (in case you missed it - maximum SSL certificate validity is now 200 days, will go down to 100 days in March 2027, and 47 days in 2029), I'm looking for a way to automate SSL certificate renewals on my Global Protect gateways/portals.</P> <P>&nbsp;</P> <P>Has anyone com up with a solution that works? Some way of automating SSL renewal - be it via something like LetsEncrypt or a regular CA's process?</P> <P>&nbsp;</P> <P>Please, if you have - share your magic! Having to remember to renew portal/gateway certs every 46 days is going to suck.</P> Tue, 24 Mar 2026 04:42:39 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/portal-gateway-certificate-renewals-automation/m-p/1250800#M7325 darren_g 2026-03-24T04:42:39Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/portal-gateway-certificate-renewals-automation/m-p/1250844#M7326 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/2280">@darren_g</a>&nbsp;,</P> <P>&nbsp;</P> <P>I haven't tried it. but this looks easy and effective.&nbsp;&nbsp;<A href="https://www.linkedin.com/pulse/can-we-configure-palo-alto-firewalls-automatically-obtain-joe-brunner-qrxoe/" target="_blank">https://www.linkedin.com/pulse/can-we-configure-palo-alto-firewalls-automatically-obtain-joe-brunner-qrxoe/</A>&nbsp; It looks like it could use a couple tweaks.&nbsp; I could easily come up with CURL commands to do the tasks via API in step 6.&nbsp; You don't need to update the GP portal or gateway, only update the current SSL/TLS Service profile to use the new certificate.&nbsp; With the CURL commands, everything could be done in one bash script.</P> <P>&nbsp;</P> <P>Here is a similar article.&nbsp;&nbsp;<A href="https://medium.com/palo-alto-networks-developer-blog/costless-automated-trusted-certificates-on-palo-alto-networks-firewalls-5b2930b2893f" target="_blank">https://medium.com/palo-alto-networks-developer-blog/costless-automated-trusted-certificates-on-palo-alto-networks-firewalls-5b2930b2893f</A></P> <P>&nbsp;</P> <P>Let's see if anyone posts a fully developed and tested script.&nbsp; Otherwise, I may work on it.</P> <P>&nbsp;</P> <P>More and more CAs are using ACMEv2.&nbsp; So, the method should work with a lot of different CAs.</P> <P>&nbsp;</P> <P>PANW has some Next-Gen Trust Security feature that integrates with SCM (for a fee?).&nbsp;&nbsp;<A href="https://docs.paloaltonetworks.com/next-gen-trust-security/next-gen-trust-security/about-vaas/configurations-overview/acme-server-overview/configure-acme-server-connection" target="_blank">https://docs.paloaltonetworks.com/next-gen-trust-security/next-gen-trust-security/about-vaas/configurations-overview/acme-server-overview/configure-acme-server-connection</A>&nbsp;&nbsp;At the bottom it says that it does not support automated certificate renewal! What's the point?</P> <P>&nbsp;</P> <P>Do we really want a built-in ACMEv2 client on each NGFW?&nbsp; Then each will try to renew the same certificate multiple times?&nbsp; This may be a good feature for Panorama, or SCM once they get the bugs worked out.&nbsp; Doing it once for the organization makes sense.&nbsp; If you don't use either, a standalone Linux server and script should be easy enough.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 24 Mar 2026 19:04:30 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/portal-gateway-certificate-renewals-automation/m-p/1250844#M7326 TomYoung 2026-03-24T19:04:30Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/portal-gateway-certificate-renewals-automation/m-p/1250878#M7327 <P>Thanks for the tips and links, Tom. I'll look into them and see if I can make it work.At least there's a starting point, and even if I am not real savvy on the code side, I have people who are and can probably help</P> <P>&nbsp;</P> <P>It's a shame that PA can't/won't build this into the product automatically - a security company who can't simplify maintaining one of the core requirements for security is not real impressive.</P> Tue, 24 Mar 2026 23:38:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/portal-gateway-certificate-renewals-automation/m-p/1250878#M7327 darren_g 2026-03-24T23:38:45Z