This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GP Certificates and SSL Decryption

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP Certificates and SSL Decryption

Go to solution
a.jones
L3 Networker

‎07-13-2021 06:14 AM

Hi All,

 

I have configured GP in PreLogon mode so there is a machine certificate deployed.

 

My certificates are locally generated on the Palo Alto. The Local CA certificate is due to expire and the SubCA expires shortly after. What will happen to user connections if I renew both certificates for another year using the renew button. Am I going to have to export the new certificate to all devices that connect using GP PreLogon? Just being cautious to not prevent outage.

 

Also, with the same Local CA - is it okay to create further SubCA for SSL Forward Encrypt and Forward Decrypt? Apologies for a simple question, I cannot have an outage on this user so just validating my thoughts (which is yes).

 

Regards

 

Adrian

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
a.jones
L3 Networker

‎08-17-2021 01:22 AM

I played about with this and came up with a solution. The certificate extension using the renew button had no impact on my user connections but had to be pushed out to users.

 

I created the Root cert for SSL decryption and the intermediates for Decrption Forward Trust and Untrust. All worked well. I also created a seperate certificate for the new Machine Cert and this tested okay. Simplified the solution and labelled the certs so there is better understanding for other engineers.

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
Mick_Ball
L7 Applicator

‎07-13-2021 08:20 AM

for your pre-logon...   are you talking about exporting a new machine cert as i was never aware that the root or subca needed to be exported for pre-logon to work...

0 Likes Likes

Go to solution
a.jones
L3 Networker

‎08-17-2021 01:22 AM

I played about with this and came up with a solution. The certificate extension using the renew button had no impact on my user connections but had to be pushed out to users.

 

I created the Root cert for SSL decryption and the intermediates for Decrption Forward Trust and Untrust. All worked well. I also created a seperate certificate for the new Machine Cert and this tested okay. Simplified the solution and labelled the certs so there is better understanding for other engineers.

0 Likes Likes
  • 1 accepted solution
  • 3301 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks