02-23-2021 08:23 AM
I have 20 GP users that has certificate check as first factor of authentication. The certs are set to expire in a month. If I renew the cert and export it to them on a USB stikc, will that break the connection until the certs are installed? What is the best way to refresh the certs on user machines?
Thanks.
02-23-2021 11:39 AM - edited 02-23-2021 11:43 AM
Hi @SThatipelly .
a couple of questions...
are these individual users certs or 1 generic cert that covers all users.
is the root CA about to expire or just the user certs.
in general... I would only use some form of PKI to distribute certificates but you may not have that option. You can send new certs to users and tell them to install when they get a cert error or you can get them to install now but they will be asked to choose which one to use prior to expiry.
02-23-2021 11:47 AM
are these individual users certs or 1 generic cert that covers all users.
Individual users
is the root CA about to expire or just the user certs.
Just the end user certs.
Our plan is to renew certificates on firewall, copy them to USB stick and ship it to end users. So, we anticipate at least a week from the time the cert is renewed on firewall to installation on end user device.
My question is : will Globalprotect gateway/portal accept the connection from user (with old cert) when a new certificate exists on firewall(renewed cert is not yet installed on user machine)?
02-23-2021 12:45 PM
I would say yes, as the auth process would not care about user certs sitting on the firewall as long as the ones on the device matched the root cert used to generate them.
you will still of course be asked which certificate to use if you have 2 installed from the same root CA.
why not generate a new self signed CA and use this to generate user certs, export certs to users and get them to import. This will not cause the user to choose certs on GP connection as only one is valid to the original root cert in the profile. then just before expiry, edit the certificate profile and remove original cert and add new. This will then force GP to auto select the new cert as it will be the only one that is valid at that time.
02-23-2021 12:48 PM
Hmmmm... that may sound a bit confusing.....
02-23-2021 01:01 PM - edited 02-23-2021 01:02 PM
Hmmmmm2. For 20 users, why not remote when user connected, remove old , add new, Bingo....
this will also rule out the possibility of the user installing the cert elsewhere....
02-23-2021 01:16 PM
@Mick_Ball those users are isolated from business and I have no access into their machines. I think I will renew one user cert first, see how GP would behave and go about other users.
02-23-2021 01:25 PM
Sounds like a plan. Good idea... i dont think you will have many major issues here...
Good Luck.....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
