Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Certificate SSL Self Signed Expired GP SSL-TLS Profile Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Certificate SSL Self Signed Expired GP SSL-TLS Profile Global Protect

L4 Transporter

Hello Live Community, how are you doing?

 

I have the following doubt and concern

 

If I have a PA configured with a Self Signed SSL certificate for Global Protect use, SSL/TLS profile for GP, and that certificate is is close to expiring.

 

All the workstations that have the global protect client, have the certificate installed, so that it is recognized as a trusted entity, in the computers (since it is self-signed by the same PA).

 

Now if I renew that certificate Self-Signed in the Palo Alto Networks Firewall, will I have to download and reinstall that certificate on each workstation?

 

Granted, it's not best practice, but some clients, for better or worse, have it that way.

 

I think and I want to confirm, in theory I think that when the renewal is done there will be a change, it will cause a change in the self-signed certificate in the FW PA, as is the extension of its period of validity, therefore I think that when the certificate expires and if not installed the certificate that has the time renewal, will not allow the connection to the workstations with the Global Protect client installed, therefore I think if it will be necessary to download and install the certificate once the renewal is done.

 

Please your comments, suggestions, tips regarding

 

Thanks for your time

 

Cheers 

High Sticker
3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @Metgatz ,

 

You could generate the new cert in advance before you replace the current cert.  You will get a duplicate CN commit warning, but nothing will be broken.  You could then push the new CA to the clients to trust before the SSL/TLS Profile change.  You could even use the Trusted Root CA box under the Portal Agent tab to have GP install the new CA on the clients.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

As @TomYoung suggested.

1. Generate new CA cert on Palo.

2. Push it to clients.

3. Generate new cert and sign with CA cert from step 1.

4. Configure new cert for portal and gateway.

 

Raido_Rattameister_0-1673567182597.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hello @Raido_Rattameister ,

There is 2 option only We need to push the certificate through GPO only or install manually in the user computers. Am i correct? Is there any other way to push certificate?

 

  • 2602 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!