Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Generate Certificate to be Signed by Public CA for Global Protect VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Generate Certificate to be Signed by Public CA for Global Protect VPN

L1 Bithead

Hi All,

 

We would like to use our GlobalProtect VPN using certificate signed by Public CA.

As the CA team is requesting to generate CSR from Palo Alto Firewall , can I follow below article to generate?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK

 

And we have two ISPs connected to PaloAlto Firewalls and we have two GlobalProtect VPN Gateways configured. If I want to use Public signed CA for both gateways , I need to generate separate CSR for each gateway right?

 

And when generating CSR , in the common name session , can I use public ip address instead of FQDN?

 

Please help me to confirm.

 

Thank you

 

2 REPLIES 2

L5 Sessionator

You can follow that link to generate a CSR.

You should generate a CSR on each node.

Public authorities will not include IP addresses as CN or SAN entries. You'll need to use FQDN.

L6 Presenter

In addition to what @rmfalconer said, be sure to add SAN entries ("Host Name" field under Certificate Attributes) for the certificate. CN (Common Name) is no longer used for hostname certificate validation, the SAN is. Also, you can have multiple SANs under a single certificate and you can have a single certificate that covers multiple Portals and Gateways.

 

I run a combined certificate with a default FQDN as the CN and all my explicit Portal and Gateway FQDNs as SANs on the same certificate. I.e. a CSR to be signed by an external auth with:

Certificate Name = VPN_Certs

Common Name = vpn.example.com

Signed By - External Authority

Certificate attributes:

  County = US

  State = Allstate

  Locality = Anytown

  Organization = Acme Corporation

  Host name = vpn.example.com

  Host name = vpn-portal-a.example.com

  Host name = vpn-gateway-a.example.com

  Host name = vpn-portal-b.example.com

  Host name = vpn-gateway-b.example.com

  • 1250 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!