CA Certificate Requirements for Endpoint Manager Enrollment
Learn which CA certificates your endpoints must trust before the Prisma Access Agent
can enroll with the Endpoint Manager.
| Where Can I Use This? | What Do I Need? |
|---|
- Prisma Access (Managed by Strata Cloud Manager)
- Prisma Access (Managed by Panorama)
|
- Check the prerequisites for the deployment you're using
- Windows, macOS, or Linux desktop devices
- Contact your Palo Alto Networks account representative to
activate the Prisma Access Agent feature
|
The Endpoint Manager is the service that manages enrollment, authentication,
and communication for Prisma Access Agent endpoints. For the Prisma Access Agent to successfully authenticate and enroll with the Endpoint
Manager, your endpoints must have the Go Daddy Root Certificate Authority -
G2 certificate installed as a trusted root certificate. If this certificate
is missing, Endpoint Manager enrollment fails.
Most operating systems include this certificate in their default trusted root
store. However, you may need to push it manually in the following
scenarios:
- Windows endpoints where automatic root certificate updates are
blocked — Windows uses an on-demand mechanism to load root
certificates from the Microsoft Certificate Trust List (CTL). This
mechanism fails when:
- No internet access — Endpoints in private networks or
behind firewall rules that restrict outbound access to Windows
Update endpoints cannot retrieve root certificates
automatically.
- Group Policy (GPO) restrictions — Environments where the
Turn off Automatic Root Certificates
Update policy is enabled require administrators to
push certificates manually via domain controller or MDM.
- Internal update servers (WSUS) — Endpoints pointed to an
internal WSUS server cannot fetch root certificates from the public
internet unless the WSUS server syncs the Root Certificates
category.
- Linux endpoints — Linux distributions do not always include the Go
Daddy Root CA in their default trusted certificate bundle.
- ESXi and cloud-based virtual machine (VM) endpoints — Cloud and
virtualized endpoints are often provisioned with a minimal root certificate
store and may not include the Go Daddy Root CA.
Install the following certificates on affected endpoints before deploying the Prisma Access Agent:
Go Daddy Root Certificate Authority - G2 (root CA)
SHA-256: 45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA
Go Daddy Secure Certificate Authority - G2 (intermediate CA)
SHA-256: 973A41276FFD01E027A2AAD49E34C37846D3E976FF6A620B6712E33832041AA6
