How to Renew Certificates for GlobalProtect Devices

Reply
L2 Linker

How to Renew Certificates for GlobalProtect Devices

 

Hi all,

 

I want to renew the expiration date of the certificates for my globalprotect devices. The firewall is the CA that issued the certificates.

 

My question is whether I have to export and import the certificates after renewing them by following the steps on this article: 

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/certificate-management/revoke-and-re...

 

I don´t know if the certificates renewal requires any installation or the changes will be reflected in the devices without installation. 

 

Many thanks in advance,

Marcos

L4 Transporter

Re: How to Issue Certificates to GlobalProtect Devices

 

Hi Marcos,

 

There are two possibilities for which you may be using the Device (locally) generated certificate :

 

1.  Server Certificate for Portal and Gateway : In this case the signing CA cert is still the same and has not changed.

     Hence the end users would still be able to validate the new server certificates as they have the signing CA cert.

 

2.  Client Certificate for Authentication of End users : If this certificate has expired and renewed then it needs to be imported 

     on the local devices (clients). If not, they would not authenticate the local machine due to expiry.

 

 

Highlighted
L2 Linker

Re: How to Issue Certificates to GlobalProtect Devices

Hello Syadav,

 

Many thanks for your answer.

 

Just two last questions:

 

1) In the end users can the new certificate overwrite the old one or is it necessary to remove the old certificate before installing the new one??

 

2) If I want to renew the expiration date of the CA root certificate which signed the server and client certificates I guess that I need to export this one to the end users as well, right??

 

 

Thanks and Regards,

Marcos.

L4 Transporter

Re: How to Issue Certificates to GlobalProtect Devices

 

Hi Marcos,

 

Please find the answers to your questions below :

 

1) I would recommend you to remove the older certificate from the personal store and add the new one. Certificate management is usually done with GPO, you may use the same to deploy/withdraw the certs.

 

2) Yes, in case the signing CA certificate is renewed, it needs to be imported on the client machines and added in the Trusted     Root CA store.

 

Please mark as a solution if it resolves your problem.

L2 Linker

Re: How to Issue Certificates to GlobalProtect Devices

Hi Syadav,

 

Thanks a lot for your help.

 

Regards,

Marcos.

L4 Transporter

Re: How to Issue Certificates to GlobalProtect Devices

Hi Marcos,

 

Thanks for your response.

Also make sure that if the Client certificate is generated on firewall you export it in format PKCS12.

 

If this advice helps your case, please mark it as a solution so that it may help others.

 

 

 

 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!