Focus

GlobalProtect

Replace an Expired GlobalProtect Portal or Gateway Certificate

Table of Contents

Filter

Expand All | Collapse All

GlobalProtect Docs

Administration
Version
- 10.1 & Later
- 9.1
User Guide
Version
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
New Feature
Version
- 6.1
- 6.0
- 5.2
- 5.1
Release Notes
Version
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1

Deploy Server Certificates to the GlobalProtect Components

GlobalProtect User Authentication

Replace an Expired GlobalProtect Portal or Gateway Certificate

Learn how to replace an expired GlobalProtect portal or gateway certificate.

If your GlobalProtect portal or gateway certificate has expired or is about to expire, you have several options to replace it.

For Prisma Access deployments, the portal and gateway certificates and their renewals are managed automatically as part of the infrastructure, so you don't have to do anything to replace an expired certificate.

If you're using third-party certificates for your portal or gateway, you will need to manage and renew your certificates when they expire.

If the firewall is the certificate authority (CA) that issued the certificate for your portal and gateways, the firewall replaces the expired certificate with a new certificate that has the same attributes as the old certificate but with a different serial number. From the web interface that is hosting the portal or gateway, Renew the Certificate, and commit the changes to push the certificate to the portal or the gateway.

For on-premises deployments that use third party CA-issued SSL certificates, you must import the renewed certificate that you downloaded from your CA using the following procedure:

Note the name and expiration date of the portal or gateway certificate.

From the firewall that is hosting the gateway or portal with the expiring certificate, log on to the web interface.

Select

Device

Certificate Management

Certificates

Locate the certificate in the

Device Certificates

tab and note the name of the certificate and expiration date.

Download the renewed certificate from your third-party CA. As an example, the following steps show how to download the renewed certificate from GoDaddy:

Go to the

Certificates

tab.

Select the certificate and click

Download

In the Download Certificate window, for

Server type

, select

Other

and download the certificate in

.crt

format.

The certificate is saved to your downloads folder.

Import the downloaded certificate on the firewall that is hosting your portal or gateway.

If you deployed two firewalls in an HA pair in an active/passive deployment, you must import the certificate on each firewall.

From the web interface, go to

Device

Certificate Management

Certificates

Device Certificates

Import

Enter the exact

Certificate Name

for the portal or gateway certificate that you're replacing.

For the

Certificate File

, browse to and select the certificate that you downloaded from the CA.

For the

File Format

, select

Base64 Encoded Certificate (PEM)

Click

After the certificate has been imported, you will see the new expiration date for the certificate.

Commit

your changes to push the certificate to the portal or gateway.

Deploy Server Certificates to the GlobalProtect Components

GlobalProtect User Authentication

GlobalProtect Docs

Replace an Expired GlobalProtect Portal or Gateway Certificate

GlobalProtect Docs

Replace an Expired GlobalProtect Portal or Gateway Certificate

Recommended For You

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Experts Corner