Global Protect Certificate Self Signed Expired
Hi, How are they doing?
I have a concern with the following scenario.
If I have a PA configured with a Self Signed SSL certificate for Global Protect use, SSL/TLS profile for GP, and that certificate is about to expire.
All the workstations that have the global protect client, have the certificate installed, so that it is recognized as a trusted entity, in the computers (since it is self-signed by the same PA).
Now if I renew that certificate in the Palo Alto Networks Firewall, will I have to download and reinstall that certificate on each workstation? In theory I think that if the certificate will change, that is to say it will be renewed and extended its duration, therefore when the expiration date of the certificate that the users already have installed to validate the SSL/CA selfsigned certificate of the PA arrives, it will not allow them to connect.
Please your comments, suggestions, tips regarding the above.
Thanks
Regards
Yes that will work :)
do you have a root CA that signed the TLS certificate?
yiou can easily push the root cert to clients when they connect, at which time if you refreshed the root and the TLS, they will trust the new cert
the only caveat is that you need to do this before the root CA expires else they won't be able to connect anymore (unless you set the agent to be allowed to connect to the portal even if the certificate is fishy)