>
    Strata Copilot
    Deploy Shared Client Certificates for Authentication
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect User Authentication
    5. Set Up Client Certificate Authentication
    6. Deploy Shared Client Certificates for Authentication
    Download PDF
    GlobalProtect

    Deploy Shared Client Certificates for Authentication

    Table of Contents

    Deploy Shared Client Certificates for Authentication

    Deploy shared client certificates for GlobalProtect user authentication by generating self-signed certificates and configuring authentication settings in a GlobalProtect portal agent configuration.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    To confirm that an endpoint user belongs to your organization, you can use the same client certificate for all endpoints or generate separate certificates to deploy with a particular agent configuration. Use this workflow to issue self-signed client certificates and deploy them from the portal.
    If you include a client certificate in the portal configuration for mobile devices, you can only use client certificate authentication in the gateway configuration because the client certificate passphrase is saved in the portal configuration. Additionally, the client certificate can only be used after the certificate is retrieved from the portal configuration.
    1. Generate a certificate to deploy to multiple GlobalProtect endpoints.
      1. Create the root CA certificate for issuing self-signed certificates for the GlobalProtect components.
      2. Select DeviceCertificate ManagementCertificatesDevice Certificates, and then Generate a new certificate.
      3. Set the Certificate Type to Local (default).
      4. Enter a Certificate Name. This name cannot contain spaces.
      5. Enter a Common Name to identify this certificate as an app certificate (for example, GP_Windows_App). Because this certificate will be deployed to all apps using the same agent configuration, it does not need to uniquely identify a specific user or endpoint.
      6. In the Signed By field, select your root CA.
      7. Select an OCSP Responder to verify the revocation status of certificates.
      8. Click OK to generate the certificate.
    2. Set Up Two-Factor Authentication.
      Configure authentication settings in a GlobalProtect portal agent configuration to enable the portal to transparently deploy the client certificate, which is Local to the firewall, to apps that receive the configuration.

    © 2026 Palo Alto Networks, Inc. All rights reserved.