This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Renewing a Subordinate CA Certificate for firewall, issued by MS Server Enterprise CA

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Renewing a Subordinate CA Certificate for firewall, issued by MS Server Enterprise CA

tonyrobson
L1 Bithead

‎11-04-2021 11:09 AM - edited ‎11-04-2021 11:40 AM

Hi,

 

I've been looking all over for some guidance on this, without much joy.

 

I am trying to renew a subordinate-CA certificate on a firewall, that was issued by a Windows Server Enterprise CA.

 

Obviously there is no Renew function on the firewall for that cert as it was externally issued - and it appears on Windows server you can only renew Subordinate-CA certificates for domain servers (I think?).

 

So based on the above, I generated a new certificate request, matching the name of the original (the certificate then shows as pending), and went through the signing process the same as last time and re-imported.  The certificate shows as having the expected new date and shows as valid, the chain hierarchy remains intact in the GUI, however, all the certificates signed by the previous certificate no longer work at all, for any function, SSL Decryption, GlobalProtect, Secure comms etc, and all need to be re-issued/signed by the new certificate.

 

So I dugout the original certificate request from a few years ago, and tried to submit that instead, and it also seems to present me with a new certificate rather than one maintaining the serial number.


So what is the process to renew the certificate without invalidating the signed certificates?

2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎11-04-2021 08:10 PM

@tonyrobson,

I don't believe you really have many options to properly renew a sub-ca. I personally wouldn't have done what you did and use the same certificate name, instead using a new certificate name so that the current certificate and the new certificate a distinctly different things from the firewall's perspective. This allows you to begin transitioning to the new certificate while maintaining the old certificate until everything has been migrated over or it expires. 

0 Likes Likes

tonyrobson
L1 Bithead
In response to BPry

‎11-05-2021 08:01 AM

Actually I've found an advantage to using the original CSR; you can renew the child certificates then using the renew button, compared to when you use a new CSR for the Sub-CA, whenever you try renew the child certs it can't sign then, presumably because of the private key change, so you have to generate new certificates individually for each one, doing all the attributes again and typing out names to match etc.  If you use the Sub-CA with the original CSR though it allows a single click renew, much quicker and easier.

0 Likes Likes
  • 3594 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks