This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Certificate SSL Self Signed Expired GP SSL-TLS Profile Global Protect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Certificate SSL Self Signed Expired GP SSL-TLS Profile Global Protect

Metgatz
L4 Transporter

‎01-12-2023 02:21 PM

Hello Live Community, how are you doing?

 

I have the following doubt and concern

 

If I have a PA configured with a Self Signed SSL certificate for Global Protect use, SSL/TLS profile for GP, and that certificate is is close to expiring.

 

All the workstations that have the global protect client, have the certificate installed, so that it is recognized as a trusted entity, in the computers (since it is self-signed by the same PA).

 

Now if I renew that certificate Self-Signed in the Palo Alto Networks Firewall, will I have to download and reinstall that certificate on each workstation?

 

Granted, it's not best practice, but some clients, for better or worse, have it that way.

 

I think and I want to confirm, in theory I think that when the renewal is done there will be a change, it will cause a change in the self-signed certificate in the FW PA, as is the extension of its period of validity, therefore I think that when the certificate expires and if not installed the certificate that has the time renewal, will not allow the connection to the workstations with the Global Protect client installed, therefore I think if it will be necessary to download and install the certificate once the renewal is done.

 

Please your comments, suggestions, tips regarding

 

Thanks for your time

 

Cheers 

High Sticker
0 Likes Likes
3 REPLIES 3

TomYoung
Cyber Elite
Cyber Elite

‎01-12-2023 03:25 PM

Hi @Metgatz ,

 

You could generate the new cert in advance before you replace the current cert.  You will get a duplicate CN commit warning, but nothing will be broken.  You could then push the new CA to the clients to trust before the SSL/TLS Profile change.  You could even use the Trusted Root CA box under the Portal Agent tab to have GP install the new CA on the clients.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Raido_Rattameister
Cyber Elite
Cyber Elite

‎01-12-2023 03:46 PM

As @TomYoung suggested.

1. Generate new CA cert on Palo.

2. Push it to clients.

3. Generate new cert and sign with CA cert from step 1.

4. Configure new cert for portal and gateway.

 

Raido_Rattameister_0-1673567182597.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

KhaleelE
L3 Networker
In response to Raido_Rattameister

‎07-25-2023 10:21 PM

Hello @Raido_Rattameister ,

There is 2 option only We need to push the certificate through GPO only or install manually in the user computers. Am i correct? Is there any other way to push certificate?

 

0 Likes Likes
  • 1769 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks