Replacing/Uploading Certificates

Overview

By default, Expedient configures GlobalProtect utilizing the expedient.com wildcard certificate. If preferred, a client can substitute the expedient.com wildcard with their own certificate. If a client chooses to use a non-Expedient managed certificate, it is the client's responsibility to manage that certificate. While Expedient may not manage the certificate., Expedient provides this documentation to assist clients with getting started on uploading and renewing their own certificates.

Prerequisites

The steps described in this document assume that the firewall hosting GlobalProtect has had the GlobalProtect Gateway & Portal configuration sections completed.

Process

You can use the following process to upload a first-time certificate or replace an existing one.

1. Navigate to primary node firewall UI after successfully authenticating into fw.expedient.cloud.

2. Select Device > Certificate Management > Certificates > Device Certificates > Import

3. Import the appropriate certificate/key. In our example, we're importing the expedient.cloud certificate.

"Block Private Key Export" must be selected when configuring the certificate.

4. Create an SSL/TLS service profile using the certificate you've imported. Select Device > Certificate Management > SSL/TLS Service Profile > Add

"TLSv1.2" must be selected when configuring the certificate & SSL/TLS profile.

5. Apply service profile to GlobalProtect gateway. Select Network > GlobalProtect > Gateways > Click link for gateway > Authentication > Select appropriate SSL/TLS profile from Server Authentication drop-down > Click OK

6. Apply service profile to GlobalProtect portal. Select Network > GlobalProtect > Portals > Click link for portal > Authentication > Select appropriate SSL/TLS profile from Server Authentication drop-down > Click OK

7. Perform a firewall Commit operation to commit your changes.