How to renew certificates using OCSP responder
11169
Created On 07/22/21 15:58 PM - Last Modified 01/13/22 22:58 PM
Objective
The article explains how to renew a certificate when OCSP responder is available.
Environment
- Palo Alto Firewall or Panorama
- PAN-OS 8.1 and above
- OCSP certificate expired.
- OCSP responder configuration in place.
Procedure
- Go to GUI: Device > Certificate Management > Certificates.
- Click on the intended Certificate that you want to renew.
- Click on generate.
- Certificate Name: add the same exact name of the Certificate that you click on.
- Common Name: add the Host_Nmae or IP_Address.
- Signed by: External Authority (CSR).
- Certificate Attributes: Add the same information you added in the "Common Name" section.
Once the Certificate is generated:
- Go to GUI: Device> Certificate Management > Certificates.
- Click on Export Certificate to export this CSR that we just generated.
- Upload the CSR to the CA platform, based on the options they provide, it can be via email, website platform. Contact your CA and make sure about these details.
Once the CSR is received and is already signed by the CA:
- Go to GUI: Device> Certificate Management > Certificates.
- Import it by clicking on Import in the Palo Alto Firewall (or Panorama).
- Add the same exact name for the certificate that we want to renew, browse for the CSR and click OK.
- The new certificate will update the old one and the Expiration date will be extended.
Additional Information
Note: When we generate a CSR for an Existing Certificate the Certificate turns in "yellow" and the status changes to "Pending" it does not prevent any connection to be working, in case it is still in "valid" status it will be working even though it goes to "Pending."