Global Protect Certificate Self Signed Expired
Hello everyone
I have a concern with the following scenario.
If I have a PA configured with a Self Signed SSL certificate for Global Protect use, SSL/TLS profile for GP, and that certificate is close to expire. I understand, it’s not the best practice, but you know, there are clients who have it that way, for better or for worse.
All the workstations that have the global protect client, have the certificate installed, so that it is recognized as a trusted entity, in the computers (since it is self-signed by the same PA).
I think and I want to confirm, in theory I think that when the renewal is done there will be a change, it will cause a change in the self-signed certificate in the FW PA, as is the extension of its period of validity, therefore I think that when the certificate expires and if not installed the certificate that has the time renewal, will not allow the connection to the workstations with the Global Protect client installed, therefore I think if it will be necessary to download and install the certificate once the renewal is done.
I have not yet had the opportunity to test and validate this, the correct and accurate behavior, that’s why I ask.
Please your comments, suggestions, tips.
Thanks for your time
Cheers
You can set your portal agent config to say install the newly self signed CA so anyone who connects will get it before the old one expires.
Self signed certificate… how are you going to create this on the PA? If by self signed, this indicates the Issuer/Subject are the same information, this is reserved for CA type certs.
Now, by default the PA will generate a self signed identity certificate for the management interface; it must have this.
For GP however, you must reference the certificate in a SSL/TLS profile - and these profiles only support identity / end-entity type certs.
You could create the identity self signed certificate in openssl - but if you’re at this point, why not follow the proper structure of a CA certificate, issuing an identity certificate for GP?
Dude, yeah… you linked a KB about creating a CA certificate. Did you actually look at the screenshots?
Literally from RFC5280 - a self signed cert is for the Root CA cert.
Do me a favor - go to your PA, Device, Certificate - generate.
Give it a Cert Name (min six chars), any common name will do - do not check any additional boxes - and click Generate.
Dude, yeah… you linked a KB about creating a CA certificate. Did you actually look at the screenshots?
Literally from RFC5280 - a self signed cert is for the Root CA cert.
Do me a favor - go to your PA, Device, Certificate - generate.
Give it a Cert Name (min six chars), any common name will do - do not check any additional boxes - and click Generate.
Colleague …yes you can generate a CA in Palo Alto, I invite you to configure PA firewalls and it is feasible to use them. And if welcome colleague, you can use them in the GP SSL/TLS profile.
Cheers dude
Documentation is tough
“Use only signed certificates, not CA certificates, in SSL/TLS service profiles.”