09-12-2025 03:27 AM
Dear All,
I need some immediate assistance with this.
Can you anyone help me out.
We have a Palo Alto VPN Gateway at our office where client connect to the internal Network via Remote Access VPN. Now recenlty the certificate was expired the following is what I did.
1. Generated a Private key using OpenSSL.
2. Generated a CSR using that Private key.
3. Submit the Private key to Publica CA and they have returned me 4 different certificate file (1. Server Certificate, 2. Root Certificate, 3 Two Intermediate Certificates)
Also note that our old certificate was from the same CA.
4. I combined the Private key + Server Certificate + Root + and 2 Intermediate Certificates into one PKCS12 file.
Now when I upload this file into the Palo Alto it can't extract the root and intermediate certs automatically
5. I combined the Private key + Server Certificate and upload the root and intermediate cerificate manually.
But when I change the SSL/TLS Service Profile to the new certificate. we are yet to be able to connect to the Gateway.
Can anyone hlep me please, is there something I missed to input or is there something I have to do extra before we are able establish a vpn connection to the gateway.
Please help me immediately.
Thank you.
Much appreciate it.
#certificate
#expiredCertificate
09-12-2025 05:27 AM
Hi @m.shah.alizada2000 ,
While your process seems correct it's unclear to me where you're performing certain steps.
The CSR must be generated on the client firewall. You then get this CSR signed by the CA. Once you receive the signed certificate, you transfer it back to the satellite firewall. The satellite firewall then imports the signed certificate.
As an alternative method for deploying client certificates to satellites, you can also opt to configure your GP portal to act as a SCEP client to a SCEP server in your enterprise PKI:
That said, at this point, a live debugging session with Support would likely be the most effective way to solve the problem. During a debugging session with support you can verify the entire chain of trust. This includes confirming that the GP GW has the correct server certificate and that the Satellite firewall trusts the CA that signed the GW's certificate, pinpoint the exact reason for the authentication failure (e.g., certificate validation failure, wrong authentication method, or a policy misconfiguration. You can also verify that the correct client certificate is being used for authentication in the GlobalProtect configuration.
Kind regards,
-Kim.
09-12-2025 08:15 AM
Dear Kim,
Answer to your first question: I use OpenSSL and my laptop terminal to perform all those steps like (generating a private key, generating a CSR, and combining the server Certificate and private key into a PKCS12 file)
Now questions I have:
I generate a certificate in Palo Alto web GUI, then export and send it to CA once they returned me the certificate I upload it into Palo Alto
Now the CA also sends a root and intermediate certificates should they also be uploaded besides that!?
question two:
the current certificate is already expired can I just click on that and export is csr send it to the CA so sign and once they signed I upload into Palo Alto web gui and the certificate is expanded its life cycle.
thank you.
looking forward to hearing from you!
Shah.
09-13-2025 12:29 AM
Hi @kiwi
Now I replied to your post last evening, but it was rejected by a moderator for some reasons.
Thank you for replying to my post.
Here are the answers and the questions I have for you, I would like to receive answer based on them.
First of all, I used OpenSSL tool on my Windows machine terminal to generate a private key and also a CSR plus combining the files into a PKCS12 format.
Tho your answer seems very correct, to generate a CSR inside the Palo Alto gateway itself. and get the CSR signed by the CA.
Now I have two questions:
1. When the CA returns the signed CSR there are four file (the Server Certificate, Two Intermediate Certificates, and one Root Certificate). Should I import the root and intermediate certificates as well along with the Server Certificate?
2. Following is a screenshot from certificate generate tool inside Palo Alto GUI, now what are some of the items that should be matching specifically with the expired certificate?
I would be happy to hear back from you.
Thank you.
Best Regards,
Shah.
09-13-2025 12:36 AM
Dear @kiwi
Your instructions are complete and correct about I have to generate a certificate inside the Palo Alto Gateway machine, get it signed by the CA and upload it back into the Gateway.
Now here are two quesions I have for you and I will be super happy to hear back from you.
1. When the CA signs the Certificate they normally send the follwing files (Server Cert, Root and Intermediate Cert), when uploading the Server Cert should any other certificates be uplaoded along side?
2. When generating a Certificate inside Palo Alto GUI, what attributes and other items much be identical to the expired previous certificate that if not indentical might cause the cert to not estabilsh a VPN connection with clients.
Thank you.
Best Regards,
Shah.
But I have two questions in specific
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
