>
    Strata Copilot
    Configure Certificate Selection in Prisma Access Agent
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Set Up Prisma Access Agent User Authentication
    6. Configure Certificate Selection in Prisma Access Agent
    Download PDF
    Prisma Access Agent

    Configure Certificate Selection in Prisma Access Agent

    Table of Contents

    Configure Certificate Selection in Prisma Access Agent

    Configure certificate selection criteria in Prisma Access Agent to ensure proper user identification and enhance security policy enforcement.
    Where Can I Use This?What Do I Need?
    • Check the prerequisites for the deployment you're using
    • Minimum Prisma Access Agent version: 25.6.1
    • macOS, Windows, or Android devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    Certificate-based authentication in Prisma Access Agent provides a secure mechanism for verifying user identity, but requires precise certificate selection to maintain accurate User-ID™ mapping. By default, when a user certificate is unavailable, the agent might use a machine certificate, which can result in incorrect User-ID mapping where the device serial number is used instead of the actual username. This behavior can compromise policy rules that depend on accurate user identification.
    The certificate selection feature allows administrators to define specific criteria for how Prisma Access Agent selects certificates during authentication. This ensures that the agent consistently chooses the correct certificate, leading to proper User-ID mapping and effective security policy enforcement.
    There are two key components to understand when configuring certificate selection:
    • Certificate Store Filtering—Certificate store filtering determines where the agent searches for authentication certificates. On Windows, certificates can be stored in either the user's personal certificate store or the local machine's certificate store. On macOS, certificates are stored in login and system keychains, with similar separation between user and system. The agent can search exclusively in the user store, exclusively in the machine store, or to search first in the user store and then fall back to the machine store if needed.
    • Extended Key Usage (EKU) OID Filtering—Extended Key Usage (EKU) OID filtering provides additional granularity by enabling you to specify which certificate purposes are valid for authentication. Every certificate includes information about its intended use through OIDs (Object Identifiers). By specifying particular EKU OIDs, you can ensure the agent only selects certificates that were issued for specific purposes, such as client authentication or smart card login.
    When the agent needs to authenticate, it follows the configured store preference and EKU filtering criteria to select the appropriate certificate. If multiple valid certificates are found, end users will see a pop-up with the list of certificates that match the EKU OID filter and store. The users will need to select a certificate to continue. Be sure to distribute only a single certificate so the authentication experience is seamless for the user. In pre-logon scenarios, the agent always uses the machine store regardless of the configured preference, as the user context is not yet available.
    Currently, you can configure this feature only in the Prisma Access Agent deployment configuration file (config.json).
    Interaction with SAML Authentication
    For each authentication method configured in Prisma Access Agent, the certificate selection behavior will interact with Security Assertion Markup Language (SAML) authentication in distinct ways. Here's how each method works:
    • Client Certificate OR SAML—With this authentication method, the agent first attempts certificate-based authentication. If successful, the user is granted access without needing to provide SAML credentials. If certificate authentication fails (either because no valid certificate is found according to the configured criteria, or the certificate validation fails), the agent automatically falls back to SAML authentication, prompting the user for credentials.
    • Client Certificate AND SAML—This method implements multifactor authentication by requiring both certificate validation and SAML authentication. The agent first validates the user's certificate according to the configured criteria, and then prompts the user to complete the SAML authentication process. Both authentication methods must succeed for the user to be granted access. If certificate authentication fails due to no valid certificate being found, the entire authentication process fails, and an error message is displayed to the user.
    • Client Certificate—With this method, only certificate-based authentication is accepted. The agent attempts to locate and validate a certificate according to the configured certificate store and EKU OID criteria. If a valid certificate is found and validated, the user is granted access. If no valid certificate is found or certificate validation fails, the authentication fails completely, and the user is shown an appropriate error message. No fallback to other authentication methods is provided.
    In all these authentication methods, the certificate selection process follows the configured client_cert_lookup_store setting (user, machine, or user_then_machine) and applies any configured EKU OID filtering criteria to determine which certificates are valid for authentication.
    Certificate Selection Notes
    • These configurations are applied during the initial deployment of Prisma Access Agent and are used for certificate authentication
    • The settings enabled through the config.json file are preserved upon reboot, restart, and agent upgrade.
    • In pre-logon scenarios, the client_cert_lookup_store configuration is ignored, and the agent only uses the "Machine Store" for certificate lookup. However, the client_cert_eku_oid_list configuration is still applied
    • If client_cert_eku_oid_list is not specified, the agent defaults to using only certificates with the Client Authentication OID (1.3.6.1.5.5.7.3.2)
    • When end users Sign Out of the agent under the hamburger menu in the Prisma Access Agent app, the certificate selection information in the Prisma Access Agent Manager server is reset to the default value. If the user signs in to the same server or a different server, default certificate selection takes place.
    To configure the certificate selection:
    1. Edit the configuration file (config.json) file to be used for the deployment of Prisma Access Agent.
    2. Add or modify the following parameters within the JSON structure:
      • Client Certificate Lookup Store
        • Parameter Name: client_cert_lookup_store
        • Possible Values:
          • user—Agent searches only in the certificate store of the currently logged-in user
          • machine—Agent searches only in the local machine's certificate store
          • user_then_machine—Agent searches first in the user store, then in the machine store if no certificate is found (Default)
      • Extended Key Usage (EKU) OIDs for Client Certificate
        • Parameter Name: client_cert_eku_oid_list
        • Value Format: Comma-separated OID strings. This value can be empty, have one value, or a list of values.
        • Common OIDs:
          • Client Authentication (1.3.6.1.5.5.7.3.2) (Default if not specified)
          • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
          • Any Extended Key Usage (2.5.29.37.0)
          • IPSec End System (1.3.6.1.5.5.7.3.5)
          • IPSec Tunnel (1.3.6.1.5.5.7.3.6)
          • IPSec User (1.3.6.1.5.5.7.3.7)
          • OCSP Signing (1.3.6.1.5.5.7.3.9)
      Example Configurations:
      To search only in the user store for certificates with Client Authentication, Server Authentication, and OCSP Signing OIDs:
      {
     "server_url":"xxxxx.epm.gpcloudservice.com,
     "tenant_id":"xxxxxxxxxx",
     "unload_gp":true,
     "client_cert_lookup_store" : "user",
     "client_cert_eku_oid_list": [
          "1.3.6.1.5.5.7.3.2",
          "1.3.6.1.5.5.7.3.1",
          "1.3.6.1.5.5.7.3.9"
     ]
}
      To search only in the machine store for certificates with the Client Authentication OID:
      {
     "server_url":"xxxxx.epm.gpcloudservice.com",
     "tenant_id":"xxxxxxxxxx",
     "unload_gp":true,
     "client_cert_lookup_store" : "machine",
     "client_cert_eku_oid_list": ["1.3.6.1.5.5.7.3.2"]
}
      To search first in the user store and then the machine store for certificates with the Client Authentication OID (default for unspecified client_cert_eku_oid_list value):
      {
     "server_url":"xxxxx.epm.gpcloudservice.com",
     "tenant_id":"xxxxxxxxxx",
     "unload_gp":true,
     "client_cert_lookup_store" : "user_then_machine",
     "client_cert_eku_oid_list": []
}
    3. Save the config.json file and deploy it along with the Prisma Access Agent.
    4. Monitor the certificate activity by reviewing the Prisma Access Agent logs on the endpoints.
      The agent logs activity in the PAS.log file on Windows. On macOS, the activity is logged in the PAS.log and PAUI.log files. The agent stores the following information in the logs:
      • Certificate lookup store and EKU OIDs configured in config.json
      • Whether the certificate selection passed or failed

    © 2025 Palo Alto Networks, Inc. All rights reserved.