This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎01-03-2024 11:27 PM

Hi @tthapa23 ,

No downtime is expected for such change, but I would still suggest to plan a maintenance, just to let other teams/support informed that such change will take place.

 

Certificate replacement is pretty straighforward. There are some extra steps depending if generate the CSR on the firewall and sending it to GoDaddy to sign it, or the CSR is generated outside of the firewall and you just import the cert and private key to the firewall:

 

A) Import cert and key to the firewall:

1. Import the renewed certificate, including the private key. From GUI Device ->Certificate Management -> Certificates -> Import

2. You need to give the certificate different name (not different CN, but different name that FW will refer to. I usually name it <old-cert-name>_new (just "_new" prefix at the end of the old cert name)

3. Update the SSL/TLS certificate profile that is used for GP to use the new certificate. From GUI: Device -> Certificate Management -> SSL/TLS Service Profile. Edit your existing profile used by the GP by selecting the new cert from the dropdown.

4. Commit the change and verify GP is now using the new certificate - Just open GP portal URL with web browser and check the provided certificate (note if you have disabled GP portal login page you will see a blank page, that is ok, but you should will be able to see SSL negotiated and the server certificate)

5. Delete the old certificate. After that rename new certificate by removing the _new prefix and commit again (FW will automatically update the cert name in SSL/TLS service profile).

 

B) Generate CSR on the firewall

1. Generate CSR. From GUI Device ->Certificate Management -> Certificates -> Generate

2. Select External (CSR) for "signed by". Populate the rest as per your certificate requirements and click OK.

3. You will see your new certificate in the list with status "pending". Click on it and click Export (this will download the CSR)

4. Send the .csr to GoDaddy to sign it. You should receive .cer or .pem or .crt

5. Import the received certificate. From GUI Device ->Certificate Management -> Certificates -> Import. Important: when importing the cert you need to use exactly the same name that you used for creating the CSR. If the names does not match import will fail with error.

6. When cert is imported you will see the status changing from "pending" to "valid".

7. From there follow the exact same steps as with above option, starting from step 3.

View solution in original post

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks