This Nominated Discussion Article is based on the post "How to Renew Global Protect VPN certificate signed by third party vendor? " by @tthapa23 and answered by Cyber Elite @aleksandar.astardzhiev!
Our Global Protect VPN certificate is expiring soon, How to renew it? We use a certificate signed by a third-party vendor GoDaddy. Is there any document on how to do an upgrade correctly? is there downtime needed for this?
No downtime is expected for such change, but I would still suggest to plan a maintenance, just to let other teams/support informed that such change will take place.
Certificate replacement is pretty straightforward. There are some extra steps depending if generate the CSR on the firewall and sending it to GoDaddy to sign it, or the CSR is generated outside of the firewall and you just import the cert and private key to the firewall:
A) Import cert and key to the firewall:
1. Import the renewed certificate, including the private key. From GUI Device ->Certificate Management -> Certificates -> Import
2. You need to give the certificate different name (not different CN, but different name that FW will refer to. I usually name it <old-cert-name>_new (just "_new" prefix at the end of the old cert name)
3. Update the SSL/TLS certificate profile that is used for GP to use the new certificate. From GUI: Device -> Certificate Management -> SSL/TLS Service Profile. Edit your existing profile used by the GP by selecting the new cert from the dropdown.
4. Commit the change and verify GP is now using the new certificate - Just open GP portal URL with web browser and check the provided certificate (note if you have disabled GP portal login page you will see a blank page, that is ok, but you should will be able to see SSL negotiated and the server certificate)
5. Delete the old certificate. After that rename new certificate by removing the _new prefix and commit again (FW will automatically update the cert name in SSL/TLS service profile).
B) Generate CSR on the firewall
1. Generate CSR. From GUI Device ->Certificate Management -> Certificates -> Generate
2. Select External (CSR) for "signed by". Populate the rest as per your certificate requirements and click OK.
3. You will see your new certificate in the list with status "pending". Click on it and click Export (this will download the CSR)
4. Send the .csr to GoDaddy to sign it. You should receive .cer or .pem or .crt
5. Import the received certificate. From GUI Device ->Certificate Management -> Certificates -> Import. Important: when importing the cert you need to use exactly the same name that you used for creating the CSR. If the names does not match import will fail with error.
6. When cert is imported you will see the status changing from "pending" to "valid".
7. From there follow the exact same steps as with above option, starting from step 3.
