Deploy Shared Client Certificates for Authentication
Focus
Focus
GlobalProtect

Deploy Shared Client Certificates for Authentication

Table of Contents

Deploy Shared Client Certificates for Authentication

To confirm that an endpoint user belongs to your organization, you can use the same client certificate for all endpoints or generate separate certificates to deploy with a particular agent configuration. Use this workflow to issue self-signed client certificates and deploy them from the portal.
If you include a client certificate in the portal configuration for mobile devices, you can only use client certificate authentication in the gateway configuration because the client certificate passphrase is saved in the portal configuration. Additionally, the client certificate can only be used after the certificate is retrieved from the portal configuration.
  1. Generate a certificate to deploy to multiple GlobalProtect endpoints.
    1. Select
      Device
      Certificate Management
      Certificates
      Device Certificates
      , and then
      Generate
      a new certificate.
    2. Set the
      Certificate Type
      to
      Local
      (default).
    3. Enter a
      Certificate Name
      . This name cannot contain spaces.
    4. Enter a
      Common Name
      to identify this certificate as an app certificate (for example,
      GP_Windows_App
      ). Because this certificate will be deployed to all apps using the same agent configuration, it does not need to uniquely identify a specific user or endpoint.
    5. In the
      Signed By
      field, select your root CA.
    6. Select an
      OCSP Responder
      to verify the revocation status of certificates.
    7. Click
      OK
      to generate the certificate.
  2. Configure authentication settings in a GlobalProtect portal agent configuration to enable the portal to transparently deploy the client certificate, which is
    Local
    to the firewall, to apps that receive the configuration.

Recommended For You