External Certificate Renewal

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

External Certificate Renewal

L2 Linker

I can't for the life of me figure out the process to renew a certificate issued from an external CA.  We have a cert purchased from Thawte for our Global Protect gateway.  It will expire shortly and Thawte wants a csr file for the renewal.  Selecting renew in the Certificates tab only allows me to select how many days, which is not helpful.  I have gone through the online docs and find many options for a new cert, but nothing on the process to renew.  Seems like I am missing something really simple.


L7 Applicator

It can be simple, but it depends on the CA. I'm not all that familiar with how Thawte works these days, but most public CAs have the option of just renewing now instead of having to submit a new CSR.


If you do have that option at Thawte, have them issue the new certificate to you. When you get the PEM or DER cert, just import it using the exact same name as the one you're renewing. When you do that, the import overwrites the public key only, leaving your existing private key in tact.


If Thawte requires a new CSR, then it gets more complicated. I find it easier to just generate a brand new CSR and just update the certificate profiles and such to the new cert. If you still have the original CSR you submitted to Thawte, you can actually resubmit that same one and the signed cert should import just fine.

Someone over in Contracts is doing the process.  I feel like they only have ever done new certs so i am pushing back.  Just needed to make sure I am not crazy.  Once I figure it out I will post back to confirm.

So, turns out that Thawte and a few others really do require a full csr for renewal.  My mistake was creating the cert on the Palo Alto itself.


Long story short, don't create an external cert that you plan to renew on the Palo Alto itself.  I did find the original csr and did use it to create a new cert.  Imported it over the old with the exact same name, but the commit failed due to key mismatch.  


= Don't create external certificates on the Palo Alto =


I have installed openssl on a vm in order to create the cert from now on.  I also documented the crap out of it since I will only do this every two years.


Again, Don't create external certificates on the Palo Alto.


In case you missed it, this was ridiculously over complicated.  I finally found something to complain about with my Palo Alto.  This would also explain why there is no documentation on this process at all.

Let me add, that you will have to force users to reconnect after this change.

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!