Rename CN name certificate GlobalProtect .
cancel
Showing results for 
Search instead for 
Did you mean: 

Rename CN name certificate GlobalProtect .

L2 Linker

Hi Team,

 

I have question, currently, on firewall PA-500, we do 2 gateway VPN. Its mean have 2 WAN(ISP).  So few users will use VPN via WAN1, and few users will use VPN via WAN2.  Existing VPN using WAN1. So certificate CN name(IP address) point to Gateway WAN1.  after added WAN2 and new gateway from WAN2. We notice have certificate mismatch when users try to connect GP VPN IP gateway WAN2.

So if I rename CN name of certificate from IP ADDRESS TO FQDN, have any charge from Palo Alto.? Or free to rename. not need to pay.?

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

L6 Presenter

@abdulhakam ,

 

It seems you are using Palo Alto self signed certificate for your GP VPN. For VPN 2, you can generate new certificate and use it in new ssl profile. This profile can be used for VPN2.

 

If you are trying to change CN of existing self signed certificate, may be system won't allow you to change it. Best way is to generate new cert and use it for VPN2.

 

There shouldn't be any cost or charges involved in this.

 

Hope it helps!

Mayur

Mayur S.

View solution in original post

5 REPLIES 5

L6 Presenter

@abdulhakam ,

 

It seems you are using Palo Alto self signed certificate for your GP VPN. For VPN 2, you can generate new certificate and use it in new ssl profile. This profile can be used for VPN2.

 

If you are trying to change CN of existing self signed certificate, may be system won't allow you to change it. Best way is to generate new cert and use it for VPN2.

 

There shouldn't be any cost or charges involved in this.

 

Hope it helps!

Mayur

Mayur S.

View solution in original post

Hi @SutareMayur 

Thanks For Answer,

 

Yes, I can't rename the CN existing. I will generate new certificate and CN name will be FQDN not IP Address.

 

It will work if i have using two gateway(VPN1 and VPN2) using CN name FQDN.?

 

Thanks

@abdulhakam ,

 

Yes it will work using certificate which is generated for FQDN as well. If you are using FQDN to connect GP then that certificate will get accepted and trust will be build. If you are using IP address to connect GP and certificate used is generated for CN as FQDN then there will be mismatch. So you need to check in this regard also.

 

Mayur

Mayur S.

Hi @SutareMayur  ,

 

"Best way is to generate new cert and use it for VPN2."

 

U mean generate new cert and setup same like existing cert. I mean setup From A to Z.. 

like this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK


@abdulhakam,

 

Yes, you can generate new certificate on Palo Alto. Then create new SSL/TLS profile and map that certificate in it. You can use this SSL/TLS profile for VPN2.

 

Mayur

Mayur S.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!