How to Renew Global Protect VPN certificate signed by third party vendor?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to Renew Global Protect VPN certificate signed by third party vendor?

L2 Linker

Our Global protect VPN certificate is expiring soon, How to renew it ? we use a certificate signed by third party vendor GoDaddy. is there any document how to do upgrade in a  proper way ? is there downtime needed for this? 

1 accepted solution

Accepted Solutions

Hi @tthapa23 ,

No downtime is expected for such change, but I would still suggest to plan a maintenance, just to let other teams/support informed that such change will take place.

 

Certificate replacement is pretty straighforward. There are some extra steps depending if generate the CSR on the firewall and sending it to GoDaddy to sign it, or the CSR is generated outside of the firewall and you just import the cert and private key to the firewall:

 

A) Import cert and key to the firewall:

1. Import the renewed certificate, including the private key. From GUI Device ->Certificate Management -> Certificates -> Import

2. You need to give the certificate different name (not different CN, but different name that FW will refer to. I usually name it <old-cert-name>_new (just "_new" prefix at the end of the old cert name)

3. Update the SSL/TLS certificate profile that is used for GP to use the new certificate. From GUI: Device -> Certificate Management -> SSL/TLS Service Profile. Edit your existing profile used by the GP by selecting the new cert from the dropdown.

4. Commit the change and verify GP is now using the new certificate - Just open GP portal URL with web browser and check the provided certificate (note if you have disabled GP portal login page you will see a blank page, that is ok, but you should will be able to see SSL negotiated and the server certificate)

5. Delete the old certificate. After that rename new certificate by removing the _new prefix and commit again (FW will automatically update the cert name in SSL/TLS service profile).

 

B) Generate CSR on the firewall

1. Generate CSR. From GUI Device ->Certificate Management -> Certificates -> Generate

2. Select External (CSR) for "signed by". Populate the rest as per your certificate requirements and click OK.

3. You will see your new certificate in the list with status "pending". Click on it and click Export (this will download the CSR)

4. Send the .csr to GoDaddy to sign it. You should receive .cer or .pem or .crt

5. Import the received certificate. From GUI Device ->Certificate Management -> Certificates -> Import. Important: when importing the cert you need to use exactly the same name that you used for creating the CSR. If the names does not match import will fail with error.

6. When cert is imported you will see the status changing from "pending" to "valid".

7. From there follow the exact same steps as with above option, starting from step 3.

View solution in original post

2 REPLIES 2

Hi @tthapa23 ,

No downtime is expected for such change, but I would still suggest to plan a maintenance, just to let other teams/support informed that such change will take place.

 

Certificate replacement is pretty straighforward. There are some extra steps depending if generate the CSR on the firewall and sending it to GoDaddy to sign it, or the CSR is generated outside of the firewall and you just import the cert and private key to the firewall:

 

A) Import cert and key to the firewall:

1. Import the renewed certificate, including the private key. From GUI Device ->Certificate Management -> Certificates -> Import

2. You need to give the certificate different name (not different CN, but different name that FW will refer to. I usually name it <old-cert-name>_new (just "_new" prefix at the end of the old cert name)

3. Update the SSL/TLS certificate profile that is used for GP to use the new certificate. From GUI: Device -> Certificate Management -> SSL/TLS Service Profile. Edit your existing profile used by the GP by selecting the new cert from the dropdown.

4. Commit the change and verify GP is now using the new certificate - Just open GP portal URL with web browser and check the provided certificate (note if you have disabled GP portal login page you will see a blank page, that is ok, but you should will be able to see SSL negotiated and the server certificate)

5. Delete the old certificate. After that rename new certificate by removing the _new prefix and commit again (FW will automatically update the cert name in SSL/TLS service profile).

 

B) Generate CSR on the firewall

1. Generate CSR. From GUI Device ->Certificate Management -> Certificates -> Generate

2. Select External (CSR) for "signed by". Populate the rest as per your certificate requirements and click OK.

3. You will see your new certificate in the list with status "pending". Click on it and click Export (this will download the CSR)

4. Send the .csr to GoDaddy to sign it. You should receive .cer or .pem or .crt

5. Import the received certificate. From GUI Device ->Certificate Management -> Certificates -> Import. Important: when importing the cert you need to use exactly the same name that you used for creating the CSR. If the names does not match import will fail with error.

6. When cert is imported you will see the status changing from "pending" to "valid".

7. From there follow the exact same steps as with above option, starting from step 3.

L2 Linker

Hi 

 

  • 1 accepted solution
  • 480 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!