https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71128#M40695 <P>Hello Syadav,</P> <P>&nbsp;</P> <P>Many thanks for your answer.</P> <P>&nbsp;</P> <P>Just two last questions:</P> <P>&nbsp;</P> <P>1) In the end users can the new certificate overwrite the old one or is it necessary to remove the old certificate before installing the new one??</P> <P>&nbsp;</P> <P>2) If I want to renew the expiration date of the CA root certificate which signed the server and client certificates I guess that I need to export this one to the end users as well, right??</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks and Regards,</P> <P>Marcos.</P> Mon, 18 Jan 2016 18:57:22 GMT Carracido 2016-01-18T18:57:22Z https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71122#M40691 <P>&nbsp;</P> <P>Hi all,</P> <P>&nbsp;</P> <P>I want to renew the expiration date of the certificates for my globalprotect devices. T<SPAN>he firewall is the CA that issued the certificates.</SPAN></P> <P>&nbsp;</P> <P><SPAN>My question is whether I have to export and import the certificates after renewing them by following the steps on this article:&nbsp;</SPAN></P> <P><SPAN><A href="https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/certificate-management/revoke-and-renew-certificates.html" target="_blank">https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/certificate-management/revoke-and-renew-certificates.html</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>I don´t know if the certificates renewal requires any installation or the changes will be reflected in the devices without installation.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>Many thanks in advance,</P> <P>Marcos</P> Mon, 18 Jan 2016 19:39:12 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71122#M40691 Carracido 2016-01-18T19:39:12Z https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71126#M40694 <P>&nbsp;</P> <P>Hi Marcos,</P> <P>&nbsp;</P> <P>There are two possibilities for which you may be using the Device (locally) generated certificate :</P> <P>&nbsp;</P> <P>1. &nbsp;Server Certificate for Portal and Gateway : In this case the signing CA cert is still the same and has not changed.</P> <P>&nbsp; &nbsp; &nbsp;Hence the end users would still be able to validate the new server certificates as they have the signing CA cert.</P> <P>&nbsp;</P> <P>2. &nbsp;Client Certificate for Authentication of End users : If this certificate has expired and renewed then it needs to be imported&nbsp;</P> <P>&nbsp; &nbsp; &nbsp;on the local devices (clients). If not, they would not authenticate the local machine due to expiry.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 18 Jan 2016 16:37:16 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71126#M40694 syadav 2016-01-18T16:37:16Z https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71128#M40695 <P>Hello Syadav,</P> <P>&nbsp;</P> <P>Many thanks for your answer.</P> <P>&nbsp;</P> <P>Just two last questions:</P> <P>&nbsp;</P> <P>1) In the end users can the new certificate overwrite the old one or is it necessary to remove the old certificate before installing the new one??</P> <P>&nbsp;</P> <P>2) If I want to renew the expiration date of the CA root certificate which signed the server and client certificates I guess that I need to export this one to the end users as well, right??</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks and Regards,</P> <P>Marcos.</P> Mon, 18 Jan 2016 18:57:22 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71128#M40695 Carracido 2016-01-18T18:57:22Z https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71148#M40703 <P>&nbsp;</P> <P>Hi Marcos,</P> <P>&nbsp;</P> <P>Please find the answers to your questions below :</P> <P>&nbsp;</P> <P>1) I would recommend you to remove the older certificate from the personal store and add the new one. Certificate management is usually done with GPO, you may use the same to deploy/withdraw the certs.</P> <P>&nbsp;</P> <P>2) Yes, in case the signing CA certificate is renewed, it needs to be imported on the client machines and added in the Trusted &nbsp; &nbsp; Root CA store.</P> <P>&nbsp;</P> <P>Please mark as a solution if it resolves your problem.</P> Tue, 19 Jan 2016 13:39:36 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71148#M40703 syadav 2016-01-19T13:39:36Z https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71193#M40716 <P>Hi Syadav,</P> <P>&nbsp;</P> <P>Thanks a lot for your help.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Marcos.</P> Tue, 19 Jan 2016 15:44:03 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71193#M40716 Carracido 2016-01-19T15:44:03Z https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71196#M40719 <P>Hi Marcos,</P> <P>&nbsp;</P> <P>Thanks for your response.</P> <P>Also make sure that if the Client certificate is generated on firewall you export it in format PKCS12.</P> <P>&nbsp;</P> <P>If this advice helps your case, please mark it as a solution so that it may help others.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 19 Jan 2016 15:51:35 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/71196#M40719 syadav 2016-01-19T15:51:35Z https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/329512#M83646 <P>&nbsp;</P><P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/24977">@Carracido</a>&nbsp;</P><P>&nbsp;</P><P>I know it's been a while since you've made this post, so I hope this message finds you well.</P><P>&nbsp;</P><P>Since the certificates were generated on the firewall, we have the ability to renew them directly from the PAN-OS without having to re-deploy them.</P><P>&nbsp;</P><P>I've included the document explaining this in further detail below for your reference.&nbsp;</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POioCAG" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POioCAG</A></P><P>&nbsp;</P><P>Stay safe and have a great day!</P><P>&nbsp;</P><P>-Cheers</P> Fri, 22 May 2020 23:27:26 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/329512#M83646 trivers01 2020-05-22T23:27:26Z https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/391709#M90802 <P>If we renewed self-signed cert , will be able to connect GP with expired self-signed cert already installed in user machine ?</P><P>&nbsp;</P><P>We are able to get certificate warning while connecting GP on new machine.</P><P>&nbsp;</P><P>But on already installed machine its giving server certificate not found error.&nbsp; Also we have enabled installed certificate in trusted root store in Global Protect Portal &gt; Agent but no luck.</P><P>Do we require to remove gateway address from GP client and need to reconnect ? in order to get certificate warning or to get renewed cert automatically installed on user machine.</P><P>&nbsp;</P><P>If we install renewed certificate on user machine then we are able to connect GP.</P><P>&nbsp;</P> Wed, 17 Mar 2021 13:10:32 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-renew-certificates-for-globalprotect-devices/m-p/391709#M90802 Deepak_K 2021-03-17T13:10:32Z