https://live.paloaltonetworks.com/t5/next-generation-firewall/generate-certificate-to-be-signed-by-public-ca-for-global/m-p/550201#M1552 <P>In addition to what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/55733">@rmfalconer</a>&nbsp;said, be sure to add SAN entries ("Host Name" field under Certificate Attributes) for the certificate. CN (Common Name) is no longer used for hostname certificate validation, the SAN is. Also, you can have multiple SANs under a single certificate and you can have a single certificate that covers multiple Portals and Gateways.</P> <P>&nbsp;</P> <P>I run a combined certificate with a default FQDN as the CN and all my explicit Portal and Gateway FQDNs as SANs on the same certificate. I.e. a CSR to be signed by an external auth with:</P> <P class="lia-indent-padding-left-30px">Certificate Name = VPN_Certs</P> <P class="lia-indent-padding-left-30px">Common Name = vpn.example.com</P> <P class="lia-indent-padding-left-30px">Signed By - External Authority</P> <P class="lia-indent-padding-left-30px">Certificate attributes:</P> <P class="lia-indent-padding-left-30px">&nbsp; County = US</P> <P class="lia-indent-padding-left-30px">&nbsp; State = Allstate</P> <P class="lia-indent-padding-left-30px">&nbsp; Locality = Anytown</P> <P class="lia-indent-padding-left-30px">&nbsp; Organization = Acme Corporation</P> <P class="lia-indent-padding-left-30px">&nbsp; Host name = vpn.example.com</P> <P class="lia-indent-padding-left-30px">&nbsp; Host name = vpn-portal-a.example.com</P> <P class="lia-indent-padding-left-30px">&nbsp; Host name = vpn-gateway-a.example.com</P> <P class="lia-indent-padding-left-30px">&nbsp; Host name = vpn-portal-b.example.com</P> <P class="lia-indent-padding-left-30px">&nbsp; Host name = vpn-gateway-b.example.com</P> Thu, 20 Jul 2023 17:28:44 GMT Adrian_Jensen 2023-07-20T17:28:44Z https://live.paloaltonetworks.com/t5/next-generation-firewall/generate-certificate-to-be-signed-by-public-ca-for-global/m-p/549335#M1512 <P>Hi All,</P> <P>&nbsp;</P> <P>We would like to use our GlobalProtect VPN using certificate signed by Public CA.</P> <P>As the CA team is requesting to generate CSR from Palo Alto Firewall , can I follow below article to generate?</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK</A></P> <P>&nbsp;</P> <P>And we have two ISPs connected to PaloAlto Firewalls and we have two GlobalProtect VPN Gateways configured. If I want to use Public signed CA for both gateways , I need to generate separate CSR for each gateway right?</P> <P>&nbsp;</P> <P>And when generating CSR , in the common name session , can I use public ip address instead of FQDN?</P> <P>&nbsp;</P> <P>Please help me to confirm.</P> <P>&nbsp;</P> <P>Thank you</P> <P>&nbsp;</P> Fri, 14 Jul 2023 03:07:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/generate-certificate-to-be-signed-by-public-ca-for-global/m-p/549335#M1512 EvanRaci 2023-07-14T03:07:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/generate-certificate-to-be-signed-by-public-ca-for-global/m-p/550193#M1551 <P>You can follow that link to generate a CSR.</P> <P>You should generate a CSR on each node.</P> <P>Public authorities will not include IP addresses as CN or SAN entries. You'll need to use FQDN.</P> Thu, 20 Jul 2023 16:01:15 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/generate-certificate-to-be-signed-by-public-ca-for-global/m-p/550193#M1551 rmfalconer 2023-07-20T16:01:15Z https://live.paloaltonetworks.com/t5/next-generation-firewall/generate-certificate-to-be-signed-by-public-ca-for-global/m-p/550201#M1552 <P>In addition to what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/55733">@rmfalconer</a>&nbsp;said, be sure to add SAN entries ("Host Name" field under Certificate Attributes) for the certificate. CN (Common Name) is no longer used for hostname certificate validation, the SAN is. Also, you can have multiple SANs under a single certificate and you can have a single certificate that covers multiple Portals and Gateways.</P> <P>&nbsp;</P> <P>I run a combined certificate with a default FQDN as the CN and all my explicit Portal and Gateway FQDNs as SANs on the same certificate. I.e. a CSR to be signed by an external auth with:</P> <P class="lia-indent-padding-left-30px">Certificate Name = VPN_Certs</P> <P class="lia-indent-padding-left-30px">Common Name = vpn.example.com</P> <P class="lia-indent-padding-left-30px">Signed By - External Authority</P> <P class="lia-indent-padding-left-30px">Certificate attributes:</P> <P class="lia-indent-padding-left-30px">&nbsp; County = US</P> <P class="lia-indent-padding-left-30px">&nbsp; State = Allstate</P> <P class="lia-indent-padding-left-30px">&nbsp; Locality = Anytown</P> <P class="lia-indent-padding-left-30px">&nbsp; Organization = Acme Corporation</P> <P class="lia-indent-padding-left-30px">&nbsp; Host name = vpn.example.com</P> <P class="lia-indent-padding-left-30px">&nbsp; Host name = vpn-portal-a.example.com</P> <P class="lia-indent-padding-left-30px">&nbsp; Host name = vpn-gateway-a.example.com</P> <P class="lia-indent-padding-left-30px">&nbsp; Host name = vpn-portal-b.example.com</P> <P class="lia-indent-padding-left-30px">&nbsp; Host name = vpn-gateway-b.example.com</P> Thu, 20 Jul 2023 17:28:44 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/generate-certificate-to-be-signed-by-public-ca-for-global/m-p/550201#M1552 Adrian_Jensen 2023-07-20T17:28:44Z