https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387487#M90382 <P>Sounds like a plan. Good idea... &nbsp; i dont think you will have many major issues here...</P><P>&nbsp;</P><P>Good Luck.....</P> Tue, 23 Feb 2021 21:25:11 GMT Mick_Ball 2021-02-23T21:25:11Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387415#M90369 <P>I have 20 GP users that has certificate check as first factor of authentication. The certs are set to expire in a month. If I renew the cert and export it to them on a USB stikc, will that break the connection until the certs are installed? What is the best way to refresh the certs on user machines?</P><P>&nbsp;</P><P>Thanks.</P> Tue, 23 Feb 2021 16:23:39 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387415#M90369 SThatipelly 2021-02-23T16:23:39Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387453#M90370 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70284">@SThatipelly</a>&nbsp;.</P><P>a couple of questions...</P><P>&nbsp;</P><P>are these individual users certs or 1 generic cert that covers all users.</P><P>&nbsp;</P><P>is the root CA about to expire or just the user certs.</P><P>&nbsp;</P><P>in general... &nbsp; I would only use some form of PKI to distribute certificates but you may not have that option. &nbsp; You can send new certs to users and tell them to install when they get a cert error or you can get them to install now but they will be asked to choose which one to use prior to expiry.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Feb 2021 19:43:15 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387453#M90370 Mick_Ball 2021-02-23T19:43:15Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387458#M90371 <P><EM><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp; </EM></P><P><EM>are these individual users certs or 1 generic cert that covers all users.</EM></P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Individual users</P><P>&nbsp;</P><P><EM>is the root CA about to expire or just the user certs.</EM></P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Just the end user certs.</P><P>&nbsp;</P><P>Our plan is to renew certificates on firewall, copy them to USB stick and ship it to end users. So, we anticipate at least a week from the time the cert is renewed on firewall to installation on end user device.</P><P>&nbsp;</P><P>My question is : will Globalprotect gateway/portal accept the connection from user (with old cert) when a new certificate exists on firewall(renewed cert is not yet installed on user machine)?</P> Tue, 23 Feb 2021 19:47:10 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387458#M90371 SThatipelly 2021-02-23T19:47:10Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387471#M90372 <P>I would say yes, as the auth process would not care about user certs sitting on the firewall as long as the ones on the device &nbsp;matched the root cert used to generate them.</P><P>&nbsp;</P><P>you will still of course be asked which certificate to use if you have 2 installed from the same root CA.</P><P>&nbsp;</P><P>why not generate a new self signed CA and use this to generate user certs, export certs to users and get them to import. &nbsp; This will not cause the user to choose certs on GP connection as only one is valid to the original root cert in the profile. &nbsp;then just before expiry, edit the certificate profile and remove original cert and add new. This will then force GP to auto select the new cert as it will be the only one that is valid at that time.</P> Tue, 23 Feb 2021 20:45:23 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387471#M90372 Mick_Ball 2021-02-23T20:45:23Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387472#M90373 <P>Hmmmm... that may sound a bit confusing.....</P> Tue, 23 Feb 2021 20:48:30 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387472#M90373 Mick_Ball 2021-02-23T20:48:30Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387475#M90376 <P>Hmmmmm2. For 20 users, why not remote when user connected, remove old , add new, Bingo....</P><P>&nbsp;</P><P>this will also rule out the possibility of the user installing the cert elsewhere....</P> Tue, 23 Feb 2021 21:02:51 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387475#M90376 Mick_Ball 2021-02-23T21:02:51Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387485#M90380 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;those users are isolated from business and I have no access into their machines. I think I will renew one user cert first, see how GP would behave and go about other users.</P> Tue, 23 Feb 2021 21:16:05 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387485#M90380 SThatipelly 2021-02-23T21:16:05Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387487#M90382 <P>Sounds like a plan. Good idea... &nbsp; i dont think you will have many major issues here...</P><P>&nbsp;</P><P>Good Luck.....</P> Tue, 23 Feb 2021 21:25:11 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-users-cert-renewal-process/m-p/387487#M90382 Mick_Ball 2021-02-23T21:25:11Z