https://live.paloaltonetworks.com/t5/general-topics/certificate-ssl-self-signed-expired-gp-ssl-tls-profile-global/m-p/526863#M108882 <P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>&nbsp;suggested.</P> <P>1. Generate new CA cert on Palo.</P> <P>2. Push it to clients.</P> <P>3. Generate new cert and sign with CA cert from step 1.</P> <P>4. Configure new cert for portal and gateway.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_0-1673567182597.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46962i387273111EC588B4/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Raido_Rattameister_0-1673567182597.png" alt="Raido_Rattameister_0-1673567182597.png" /></span></P> <P>&nbsp;</P> Thu, 12 Jan 2023 23:46:31 GMT Raido_Rattameister 2023-01-12T23:46:31Z https://live.paloaltonetworks.com/t5/general-topics/certificate-ssl-self-signed-expired-gp-ssl-tls-profile-global/m-p/526850#M108880 <P class="">Hello Live Community,&nbsp;how are you doing?</P> <P class="">&nbsp;</P> <P class="">I have the following doubt and concern</P> <P class="">&nbsp;</P> <P class="">If I have a PA configured with a Self Signed SSL certificate for Global Protect use, SSL/TLS profile for GP, and that certificate is is close to expiring.</P> <P class="">&nbsp;</P> <P class="">All the workstations that have the global protect client, have the certificate installed, so that it is recognized as a trusted entity, in the computers (since it is self-signed by the same PA).</P> <P class="">&nbsp;</P> <P class="">Now if I renew that certificate Self-Signed in the Palo Alto Networks Firewall, will I have to download and reinstall that certificate on each workstation?</P> <P class="">&nbsp;</P> <P class="">Granted, it's not best practice, but some clients, for better or worse, have it that way.</P> <P class="">&nbsp;</P> <P>I think and I want to confirm, in theory I think that when the renewal is done there will be a change, it will cause a change in the self-signed certificate in the FW PA, as is the extension of its period of validity, therefore I think that when the certificate expires and if not installed the certificate that has the time renewal, will not allow the connection to the workstations with the Global Protect client installed, therefore I think if it will be necessary to download and install the certificate once the renewal is done.</P> <P class="">&nbsp;</P> <P class="">Please your comments, suggestions, tips regarding</P> <P class="">&nbsp;</P> <P class="">Thanks for your time</P> <P class="">&nbsp;</P> <P class="">Cheers&nbsp;</P> Thu, 12 Jan 2023 22:21:36 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-ssl-self-signed-expired-gp-ssl-tls-profile-global/m-p/526850#M108880 Metgatz 2023-01-12T22:21:36Z https://live.paloaltonetworks.com/t5/general-topics/certificate-ssl-self-signed-expired-gp-ssl-tls-profile-global/m-p/526861#M108881 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179185">@Metgatz</a> ,</P> <P>&nbsp;</P> <P>You could generate the new cert in advance before you replace the current cert.&nbsp; You will get a duplicate CN commit warning, but nothing will be broken.&nbsp; You could then push the new CA to the clients to trust before the SSL/TLS Profile change.&nbsp; You could even use the Trusted Root CA box under the Portal Agent tab to have GP install the new CA on the clients.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 12 Jan 2023 23:25:29 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-ssl-self-signed-expired-gp-ssl-tls-profile-global/m-p/526861#M108881 TomYoung 2023-01-12T23:25:29Z https://live.paloaltonetworks.com/t5/general-topics/certificate-ssl-self-signed-expired-gp-ssl-tls-profile-global/m-p/526863#M108882 <P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>&nbsp;suggested.</P> <P>1. Generate new CA cert on Palo.</P> <P>2. Push it to clients.</P> <P>3. Generate new cert and sign with CA cert from step 1.</P> <P>4. Configure new cert for portal and gateway.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_0-1673567182597.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46962i387273111EC588B4/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Raido_Rattameister_0-1673567182597.png" alt="Raido_Rattameister_0-1673567182597.png" /></span></P> <P>&nbsp;</P> Thu, 12 Jan 2023 23:46:31 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-ssl-self-signed-expired-gp-ssl-tls-profile-global/m-p/526863#M108882 Raido_Rattameister 2023-01-12T23:46:31Z https://live.paloaltonetworks.com/t5/general-topics/certificate-ssl-self-signed-expired-gp-ssl-tls-profile-global/m-p/550995#M112266 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a> ,</P> <P>There is 2 option only We need to push the certificate through GPO only or install manually in the user computers. Am i correct? Is there any other way to push certificate?</P> <P>&nbsp;</P> Wed, 26 Jul 2023 05:21:33 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-ssl-self-signed-expired-gp-ssl-tls-profile-global/m-p/550995#M112266 KhaleelE 2023-07-26T05:21:33Z