Globalprotect users cert renewal process?

cancel
Showing results for 
Search instead for 
Did you mean: 

Globalprotect users cert renewal process?

L4 Transporter

I have 20 GP users that has certificate check as first factor of authentication. The certs are set to expire in a month. If I renew the cert and export it to them on a USB stikc, will that break the connection until the certs are installed? What is the best way to refresh the certs on user machines?

 

Thanks.

7 REPLIES 7

L7 Applicator

Hi @SThatipelly .

a couple of questions...

 

are these individual users certs or 1 generic cert that covers all users.

 

is the root CA about to expire or just the user certs.

 

in general...   I would only use some form of PKI to distribute certificates but you may not have that option.   You can send new certs to users and tell them to install when they get a cert error or you can get them to install now but they will be asked to choose which one to use prior to expiry.

 

 

 

@MickBall 

are these individual users certs or 1 generic cert that covers all users.

          Individual users

 

is the root CA about to expire or just the user certs.

           Just the end user certs.

 

Our plan is to renew certificates on firewall, copy them to USB stick and ship it to end users. So, we anticipate at least a week from the time the cert is renewed on firewall to installation on end user device.

 

My question is : will Globalprotect gateway/portal accept the connection from user (with old cert) when a new certificate exists on firewall(renewed cert is not yet installed on user machine)?

I would say yes, as the auth process would not care about user certs sitting on the firewall as long as the ones on the device  matched the root cert used to generate them.

 

you will still of course be asked which certificate to use if you have 2 installed from the same root CA.

 

why not generate a new self signed CA and use this to generate user certs, export certs to users and get them to import.   This will not cause the user to choose certs on GP connection as only one is valid to the original root cert in the profile.  then just before expiry, edit the certificate profile and remove original cert and add new. This will then force GP to auto select the new cert as it will be the only one that is valid at that time.

Hmmmm... that may sound a bit confusing.....

Hmmmmm2. For 20 users, why not remote when user connected, remove old , add new, Bingo....

 

this will also rule out the possibility of the user installing the cert elsewhere....

@MickBall those users are isolated from business and I have no access into their machines. I think I will renew one user cert first, see how GP would behave and go about other users.

Sounds like a plan. Good idea...   i dont think you will have many major issues here...

 

Good Luck.....

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!