- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-12-2023 02:21 PM
Hello Live Community, how are you doing?
I have the following doubt and concern
If I have a PA configured with a Self Signed SSL certificate for Global Protect use, SSL/TLS profile for GP, and that certificate is is close to expiring.
All the workstations that have the global protect client, have the certificate installed, so that it is recognized as a trusted entity, in the computers (since it is self-signed by the same PA).
Now if I renew that certificate Self-Signed in the Palo Alto Networks Firewall, will I have to download and reinstall that certificate on each workstation?
Granted, it's not best practice, but some clients, for better or worse, have it that way.
I think and I want to confirm, in theory I think that when the renewal is done there will be a change, it will cause a change in the self-signed certificate in the FW PA, as is the extension of its period of validity, therefore I think that when the certificate expires and if not installed the certificate that has the time renewal, will not allow the connection to the workstations with the Global Protect client installed, therefore I think if it will be necessary to download and install the certificate once the renewal is done.
Please your comments, suggestions, tips regarding
Thanks for your time
Cheers
01-12-2023 03:25 PM
Hi @Metgatz ,
You could generate the new cert in advance before you replace the current cert. You will get a duplicate CN commit warning, but nothing will be broken. You could then push the new CA to the clients to trust before the SSL/TLS Profile change. You could even use the Trusted Root CA box under the Portal Agent tab to have GP install the new CA on the clients.
Thanks,
Tom
01-12-2023 03:46 PM
As @TomYoung suggested.
1. Generate new CA cert on Palo.
2. Push it to clients.
3. Generate new cert and sign with CA cert from step 1.
4. Configure new cert for portal and gateway.
07-25-2023 10:21 PM
Hello @Raido_Rattameister ,
There is 2 option only We need to push the certificate through GPO only or install manually in the user computers. Am i correct? Is there any other way to push certificate?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!