VPN certificate expires

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN certificate expires

L4 Transporter

Hey!

My firewall is a PA-3020 with 8.0.7. There is a Global Protect gateway and portal, users can connect via Global Protect.

As portal address in the global protect app, we are using an address that is availabe in public dns.

Additionally, there is a public signed certificate. When I do https://portal-address in a browser, I can see that the certificate expires tomorrow.

Can someone tell me what to do now?

Do I have to make a CSR? And where do I have to replace the certificate?

Thank you!

7 REPLIES 7

L4 Transporter

Under Network -> GlobalProtect -> Portals -> (Your portal) -> Authentication, take note of the SSL/TLS Service Profile

You should probably do the same for your Gateway, in case it is different

 

Under Device -> Certificate Management -> SSL/TLS Service Profile -> (Profile from above), take note of the certificate

This is the certificate used by your Portal or Gateway

 

Under Device -> Certificate Management -> Certificates, locate this certificate, and click "renew" at the bottom of the screen to generate a new CSR, export the CSR, submit it to your CA, Import the new certificate (and signing chain, if it changes)

 

Update the SSL/TLS Service Profile(s) with the new certificate(s)

 

you can see the expiration dates of any certificates you have on teh Certificates page, in case any more are expiring soon.  It often takes a few days to renew a certificate so it pays to be pro-active here

Thank you, how much days am I supposed to extend the certificate?

Typical would be one or two years, sometimes three.  That is really a policy question for the business - in theory having a certificate out there longer is a risk, but it is more convenient, and usually less expensive per year.  The number of days in your CSR is typically ignored by the CA and replaced with whatever you pay them for.

Thank you!

I did the whole procedure and vpn still works.

When I imported the signed certficate, I imported the server certificate itself, not with the complete ca chain.

Under Device -> Certificates, the certificate appears as single certificate, without the ca chain.

Is that a problem?

it can be.  your CA should have a package you can download with the root and intermediate certificates you can import to complete the chain.

Yes, there is such a package.

Does the firewall automatically link this package with the new server certificate?

Unzip the package and import the certificates just as you did the server (your GP certificate) certificate, it will show a "tree" with the root and intermediate automatically, based on the information in the server cert.

  • 7958 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!