VPN certificate expires

L4 Transporter

VPN certificate expires


My firewall is a PA-3020 with 8.0.7. There is a Global Protect gateway and portal, users can connect via Global Protect.

As portal address in the global protect app, we are using an address that is availabe in public dns.

Additionally, there is a public signed certificate. When I do https://portal-address in a browser, I can see that the certificate expires tomorrow.

Can someone tell me what to do now?

Do I have to make a CSR? And where do I have to replace the certificate?

Thank you!

L4 Transporter

Under Network -> GlobalProtect -> Portals -> (Your portal) -> Authentication, take note of the SSL/TLS Service Profile

You should probably do the same for your Gateway, in case it is different


Under Device -> Certificate Management -> SSL/TLS Service Profile -> (Profile from above), take note of the certificate

This is the certificate used by your Portal or Gateway


Under Device -> Certificate Management -> Certificates, locate this certificate, and click "renew" at the bottom of the screen to generate a new CSR, export the CSR, submit it to your CA, Import the new certificate (and signing chain, if it changes)


Update the SSL/TLS Service Profile(s) with the new certificate(s)


you can see the expiration dates of any certificates you have on teh Certificates page, in case any more are expiring soon.  It often takes a few days to renew a certificate so it pays to be pro-active here

L4 Transporter

Thank you, how much days am I supposed to extend the certificate?

L4 Transporter

Typical would be one or two years, sometimes three.  That is really a policy question for the business - in theory having a certificate out there longer is a risk, but it is more convenient, and usually less expensive per year.  The number of days in your CSR is typically ignored by the CA and replaced with whatever you pay them for.

L4 Transporter

Thank you!

I did the whole procedure and vpn still works.

When I imported the signed certficate, I imported the server certificate itself, not with the complete ca chain.

Under Device -> Certificates, the certificate appears as single certificate, without the ca chain.

Is that a problem?

L4 Transporter

it can be.  your CA should have a package you can download with the root and intermediate certificates you can import to complete the chain.

L4 Transporter

Yes, there is such a package.

Does the firewall automatically link this package with the new server certificate?

L4 Transporter

Unzip the package and import the certificates just as you did the server (your GP certificate) certificate, it will show a "tree" with the root and intermediate automatically, based on the information in the server cert.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!