I hope I’m not sounding foolish but a few things confuse me and this is my first time importing a new certificate. Our current SSL certificate for GlobalProtect is expiring in 2 weeks. My colleague said I needed to generate a new certificate in order to get a CSR file. My colleague then sent that off to the CA for renewal. The CA sent us back our SSL certificate. I assume I need to import this on the firewall but it can’t be that easy, can it? I keep reading forum posts and KB articles about names needing to match exactly, public keys, private keys, etc. Will those things pertain to this method? The “certificate” I generated on the firewall to create the CSR is just chilling there with a “pending” status. What do I do with that? Will importing this certificate disconnect all currently connected VPN sessions?
It doesn’t interrupt sessions. I just did this in June for all of our VPN portals and it works like a charm. It’s just for authenticating and validating session connections, not for actual traffic afaik.
You’ve already done most steps, but I’m including the steps I take for pano cert renewal for someone else to reference:
Generate new cert with the exact same file name as the existing cert. Be sure to include an Alternative DNS hostname (the portal hostname) as an attribute or else if you go to the portal in your browser, browsers will complain about there not being any SANs
BEFORE YOU NAVIGATE AWAY FROM THE PAGE “export” the cert to download the csr. Once you go away from that page, you lose the chance to download the csr and have to regenerate it if you didn’t get it (revert config and try again)
Upload csr to your CA of choice, generate cert, download cert
Assuming the CA chain is the same, upload the cert file under the exact same object name. It should overwrite the pending entry. If it doesn’t, you did something wrong in the name, or the CA chain changed (upload the new CA chain and then upload the cert - it should pull the pending entry down to the new chain)
** I had this happen with Digicert last June, their CA intermediate cert changed for some reason
commit and push
Check the cert status by going to the portal URL in your browser
Just make it pfx format with 6 character password at least and import along with chain (if its wildcard you might have intermediate CA etc). Then change certificate from the SSL/TLS Service profile and commit. Then try to connect globalprotect, if you can connect you are done. Current users will not be effected only new connections.
Thank you for the help. I believe I got the new cert imported successfully and multiple users are able to connect to the VPN with no issues or warnings. I do however have a warning that says
I can’t say I’ve seen that error before. The perfectionist in me would want to fix it, but if things are working then it might not be a big deal. At the very least it’d bump the priority to fix down a notch while waiting for support to get back to me. What happens when you go to the portal URL in the browser? Does the browser care?
Yes, I can still access the portal URL in the browser with no issues. Browser does not throw any fits. I will open a ticket with Palo. Thank you again.