topic External Certificate Renewal in General Topics

External Certificate Renewal

ToddJohnsen — Tue, 07 Aug 2018 17:44:42 GMT

I can't for the life of me figure out the process to renew a certificate issued from an external CA. We have a cert purchased from Thawte for our Global Protect gateway. It will expire shortly and Thawte wants a csr file for the renewal. Selecting renew in the Certificates tab only allows me to select how many days, which is not helpful. I have gone through the online docs and find many options for a new cert, but nothing on the process to renew. Seems like I am missing something really simple.

Re: External Certificate Renewal

gwesson — Tue, 07 Aug 2018 17:54:01 GMT

It can be simple, but it depends on the CA. I'm not all that familiar with how Thawte works these days, but most public CAs have the option of just renewing now instead of having to submit a new CSR.

If you do have that option at Thawte, have them issue the new certificate to you. When you get the PEM or DER cert, just import it using the exact same name as the one you're renewing. When you do that, the import overwrites the public key only, leaving your existing private key in tact.

If Thawte requires a new CSR, then it gets more complicated. I find it easier to just generate a brand new CSR and just update the certificate profiles and such to the new cert. If you still have the original CSR you submitted to Thawte, you can actually resubmit that same one and the signed cert should import just fine.

Re: External Certificate Renewal

ToddJohnsen — Tue, 07 Aug 2018 18:01:18 GMT

Someone over in Contracts is doing the process. I feel like they only have ever done new certs so i am pushing back. Just needed to make sure I am not crazy. Once I figure it out I will post back to confirm.

Re: External Certificate Renewal

ToddJohnsen — Tue, 14 Aug 2018 15:50:13 GMT

So, turns out that Thawte and a few others really do require a full csr for renewal. My mistake was creating the cert on the Palo Alto itself.

Long story short, don't create an external cert that you plan to renew on the Palo Alto itself. I did find the original csr and did use it to create a new cert. Imported it over the old with the exact same name, but the commit failed due to key mismatch.

= Don't create external certificates on the Palo Alto =

I have installed openssl on a vm in order to create the cert from now on. I also documented the crap out of it since I will only do this every two years.

Again, Don't create external certificates on the Palo Alto.

In case you missed it, this was ridiculously over complicated. I finally found something to complain about with my Palo Alto. This would also explain why there is no documentation on this process at all.

Re: External Certificate Renewal

Sec101 — Thu, 11 Feb 2021 20:42:09 GMT

Let me add, that you will have to force users to reconnect after this change.