09-12-2025 03:27 AM
Dear All,
I need some immediate assistance with this.
Can you anyone help me out.
We have a Palo Alto VPN Gateway at our office where client connect to the internal Network via Remote Access VPN. Now recenlty the certificate was expired the following is what I did.
1. Generated a Private key using OpenSSL.
2. Generated a CSR using that Private key.
3. Submit the Private key to Publica CA and they have returned me 4 different certificate file (1. Server Certificate, 2. Root Certificate, 3 Two Intermediate Certificates)
Also note that our old certificate was from the same CA.
4. I combined the Private key + Server Certificate + Root + and 2 Intermediate Certificates into one PKCS12 file.
Now when I upload this file into the Palo Alto it can't extract the root and intermediate certs automatically
5. I combined the Private key + Server Certificate and upload the root and intermediate cerificate manually.
But when I change the SSL/TLS Service Profile to the new certificate. we are yet to be able to connect to the Gateway.
Can anyone hlep me please, is there something I missed to input or is there something I have to do extra before we are able establish a vpn connection to the gateway.
Please help me immediately.
Thank you.
Much appreciate it.
#certificate
#expiredCertificate
09-12-2025 05:27 AM
Hi @m.shah.alizada2000 ,
While your process seems correct it's unclear to me where you're performing certain steps.
The CSR must be generated on the client firewall. You then get this CSR signed by the CA. Once you receive the signed certificate, you transfer it back to the satellite firewall. The satellite firewall then imports the signed certificate.
As an alternative method for deploying client certificates to satellites, you can also opt to configure your GP portal to act as a SCEP client to a SCEP server in your enterprise PKI:
That said, at this point, a live debugging session with Support would likely be the most effective way to solve the problem. During a debugging session with support you can verify the entire chain of trust. This includes confirming that the GP GW has the correct server certificate and that the Satellite firewall trusts the CA that signed the GW's certificate, pinpoint the exact reason for the authentication failure (e.g., certificate validation failure, wrong authentication method, or a policy misconfiguration. You can also verify that the correct client certificate is being used for authentication in the GlobalProtect configuration.
Kind regards,
-Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
