topic VPN certificate expires in General Topics

VPN certificate expires

MPI-AE — Thu, 19 Jul 2018 11:15:25 GMT

Hey!

My firewall is a PA-3020 with 8.0.7. There is a Global Protect gateway and portal, users can connect via Global Protect.

As portal address in the global protect app, we are using an address that is availabe in public dns.

Additionally, there is a public signed certificate. When I do https://portal-address in a browser, I can see that the certificate expires tomorrow.

Can someone tell me what to do now?

Do I have to make a CSR? And where do I have to replace the certificate?

Thank you!

Re: VPN certificate expires

JoeAndreini — Thu, 19 Jul 2018 11:34:32 GMT

Under Network -> GlobalProtect -> Portals -> (Your portal) -> Authentication, take note of the SSL/TLS Service Profile

You should probably do the same for your Gateway, in case it is different

Under Device -> Certificate Management -> SSL/TLS Service Profile -> (Profile from above), take note of the certificate

This is the certificate used by your Portal or Gateway

Under Device -> Certificate Management -> Certificates, locate this certificate, and click "renew" at the bottom of the screen to generate a new CSR, export the CSR, submit it to your CA, Import the new certificate (and signing chain, if it changes)

Update the SSL/TLS Service Profile(s) with the new certificate(s)

you can see the expiration dates of any certificates you have on teh Certificates page, in case any more are expiring soon. It often takes a few days to renew a certificate so it pays to be pro-active here

Re: VPN certificate expires

MPI-AE — Thu, 19 Jul 2018 12:07:42 GMT

Thank you, how much days am I supposed to extend the certificate?

Re: VPN certificate expires

JoeAndreini — Thu, 19 Jul 2018 13:32:34 GMT

Typical would be one or two years, sometimes three. That is really a policy question for the business - in theory having a certificate out there longer is a risk, but it is more convenient, and usually less expensive per year. The number of days in your CSR is typically ignored by the CA and replaced with whatever you pay them for.

Re: VPN certificate expires

MPI-AE — Thu, 19 Jul 2018 13:36:39 GMT

Thank you!

I did the whole procedure and vpn still works.

When I imported the signed certficate, I imported the server certificate itself, not with the complete ca chain.

Under Device -> Certificates, the certificate appears as single certificate, without the ca chain.

Is that a problem?

Re: VPN certificate expires

JoeAndreini — Thu, 19 Jul 2018 14:24:47 GMT

it can be. your CA should have a package you can download with the root and intermediate certificates you can import to complete the chain.

Re: VPN certificate expires

MPI-AE — Thu, 19 Jul 2018 14:30:52 GMT

Yes, there is such a package.

Does the firewall automatically link this package with the new server certificate?

Re: VPN certificate expires

JoeAndreini — Thu, 19 Jul 2018 16:13:58 GMT

Unzip the package and import the certificates just as you did the server (your GP certificate) certificate, it will show a "tree" with the root and intermediate automatically, based on the information in the server cert.