Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GP Certificates and SSL Decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP Certificates and SSL Decryption

L3 Networker

Hi All,

 

I have configured GP in PreLogon mode so there is a machine certificate deployed.

 

My certificates are locally generated on the Palo Alto. The Local CA certificate is due to expire and the SubCA expires shortly after. What will happen to user connections if I renew both certificates for another year using the renew button. Am I going to have to export the new certificate to all devices that connect using GP PreLogon? Just being cautious to not prevent outage.

 

Also, with the same Local CA - is it okay to create further SubCA for SSL Forward Encrypt and Forward Decrypt? Apologies for a simple question, I cannot have an outage on this user so just validating my thoughts (which is yes).

 

Regards

 

Adrian

1 accepted solution

Accepted Solutions

L3 Networker

I played about with this and came up with a solution. The certificate extension using the renew button had no impact on my user connections but had to be pushed out to users.

 

I created the Root cert for SSL decryption and the intermediates for Decrption Forward Trust and Untrust. All worked well. I also created a seperate certificate for the new Machine Cert and this tested okay. Simplified the solution and labelled the certs so there is better understanding for other engineers.

View solution in original post

2 REPLIES 2

L7 Applicator

for your pre-logon...   are you talking about exporting a new machine cert as i was never aware that the root or subca needed to be exported for pre-logon to work...

L3 Networker

I played about with this and came up with a solution. The certificate extension using the renew button had no impact on my user connections but had to be pushed out to users.

 

I created the Root cert for SSL decryption and the intermediates for Decrption Forward Trust and Untrust. All worked well. I also created a seperate certificate for the new Machine Cert and this tested okay. Simplified the solution and labelled the certs so there is better understanding for other engineers.

  • 1 accepted solution
  • 3301 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!