GlobalProtect
Replace an Expired GlobalProtect Portal or Gateway Certificate
Table of Contents
Replace an Expired GlobalProtect Portal or Gateway Certificate
Learn how to replace an expired GlobalProtect portal or gateway
certificate.
If your GlobalProtect portal or gateway certificate has expired or is about to
expire, you have several options to replace it.
For Prisma Access deployments, the portal and gateway certificates and their renewals
are managed automatically as part of the infrastructure, so you don't have to do
anything to replace an expired certificate.
If you're using third-party certificates for your portal or gateway, you will need
to manage and renew your certificates when they expire.
If the firewall is the certificate authority (CA) that issued the certificate for
your portal and gateways, the firewall replaces the expired certificate with a new
certificate that has the same attributes as the old certificate but with a different
serial number. From the web interface that is hosting the portal or gateway, Renew the Certificate, and commit the
changes to push the certificate to the portal or the gateway.
For on-premises deployments that use third party CA-issued SSL certificates, you must
import the renewed certificate that you downloaded from your CA using the following
procedure:
- Note the name and expiration date of the portal or gateway certificate.
- From the firewall that is hosting the gateway or portal with the expiring certificate, log on to the web interface.Select .Locate the certificate in the Device Certificates tab and note the name of the certificate and expiration date.
![]()
Download the renewed certificate from your third-party CA. As an example, the following steps show how to download the renewed certificate from GoDaddy:- Log in to the godaddy.com portal.Go to the Certificates tab.Select the certificate and click Download.
![]()
In the Download Certificate window, for Server type, select Other and download the certificate in .crt format.The certificate is saved to your downloads folder.Import the downloaded certificate on the firewall that is hosting your portal or gateway.If you deployed two firewalls in an HA pair in an active/passive deployment, you must import the certificate on each firewall.- From the web interface, go to .Enter the exact Certificate Name for the portal or gateway certificate that you're replacing.For the Certificate File, browse to and select the certificate that you downloaded from the CA.For the File Format, select Base64 Encoded Certificate (PEM).
![]()
Click OK.After the certificate has been imported, you will see the new expiration date for the certificate.Commit your changes to push the certificate to the portal or gateway.
