This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Generate Certificate to be Signed by Public CA for Global Protect VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Generate Certificate to be Signed by Public CA for Global Protect VPN

EvanRaci
L1 Bithead

‎07-13-2023 08:07 PM

Hi All,

 

We would like to use our GlobalProtect VPN using certificate signed by Public CA.

As the CA team is requesting to generate CSR from Palo Alto Firewall , can I follow below article to generate?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK

 

And we have two ISPs connected to PaloAlto Firewalls and we have two GlobalProtect VPN Gateways configured. If I want to use Public signed CA for both gateways , I need to generate separate CSR for each gateway right?

 

And when generating CSR , in the common name session , can I use public ip address instead of FQDN?

 

Please help me to confirm.

 

Thank you

 

0 Likes Likes
2 REPLIES 2

rmfalconer
L5 Sessionator

‎07-20-2023 09:01 AM

You can follow that link to generate a CSR.

You should generate a CSR on each node.

Public authorities will not include IP addresses as CN or SAN entries. You'll need to use FQDN.

Adrian_Jensen
L6 Presenter

‎07-20-2023 10:27 AM - edited ‎07-20-2023 10:28 AM

In addition to what @rmfalconer said, be sure to add SAN entries ("Host Name" field under Certificate Attributes) for the certificate. CN (Common Name) is no longer used for hostname certificate validation, the SAN is. Also, you can have multiple SANs under a single certificate and you can have a single certificate that covers multiple Portals and Gateways.

 

I run a combined certificate with a default FQDN as the CN and all my explicit Portal and Gateway FQDNs as SANs on the same certificate. I.e. a CSR to be signed by an external auth with:

Certificate Name = VPN_Certs

Common Name = vpn.example.com

Signed By - External Authority

Certificate attributes:

  County = US

  State = Allstate

  Locality = Anytown

  Organization = Acme Corporation

  Host name = vpn.example.com

  Host name = vpn-portal-a.example.com

  Host name = vpn-gateway-a.example.com

  Host name = vpn-portal-b.example.com

  Host name = vpn-gateway-b.example.com

  • 1251 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks