GlobalProtect Certificate Best Practices

The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use:
GlobalProtect Certificate Requirements
Certificate
Usage
Issuing Process/Best Practices
CA certificate
Used to sign certificates issued to the GlobalProtect components.
If you plan to use self-signed certificates, a best practice is to generate a CA certificate on the portal and then use that certificate to issue the required GlobalProtect certificates.
Portal server certificate
Enables GlobalProtect agents and apps to establish an HTTPS connection with the portal.
  • This certificate is identified in an SSL/TLS service profile. You assign the portal server certificate by selecting its associated service profile in a portal configuration.
  • Use a certificate from a well-known, third-party CA. This is the most secure option and ensures that the user endpoints can establish a trust relationship with the portal and without requiring you to deploy the root CA certificate.
  • If you do not use a well-known, public CA, you should export the root CA certificate that was used to generate the portal server certificate to all endpoints that run the GlobalProtect agent or application. Exporting this certificate prevents the end users from seeing certificate warnings during the initial portal login.
  • The Common Name (CN) and, if applicable, the Subject Alternative Name (SAN) fields of the certificate must match the IP address or FQDN of the interface that hosts the portal.
  • In general, a portal must have its own server certificate. However, if you are deploying a single gateway and portal on the same interface for basic VPN access, you must use the same certificate for both the gateway and the portal.
  • If you configure a gateway and portal on the same interface, we also recommend that you use the same certificate profile and SSL/TLS service profile for both the gateway and portal. If they do not use the same certificate profile and SSL/TLS service profile, the gateway configuration takes precedence over the portal configuration during the SSL handshake.
Gateway server certificate
Enables GlobalProtect agents and apps to establish an HTTPS connection with the gateway.
  • This certificate is identified in an SSL/TLS service profile. You assign the portal server certificate by selecting its associated service profile in a gateway configuration.
  • Generate a CA certificate on the portal and use that CA certificate to generate all gateway certificates.
  • The CN and, if applicable, the SAN fields of the certificate must match the FQDN or IP address of the interface where you plan to configure the gateway.
  • The portal distributes the gateway root CA certificates to agents in the client configuration, so the gateway certificates do not need to be issued by a public CA.
  • In general, each gateway must have its own server certificate. However, if you are deploying a single gateway and portal on the same interface for basic VPN access, you must use a single server certificate for both components. As a best practice, use a certificate that a public CA signed.
  • If you configure a gateway and portal on the same interface, we also recommend that you use the same certificate profile and SSL/TLS service profile for both the gateway and portal. If they do not use the same certificate profile and SSL/TLS service profile, the gateway configuration takes precedence over the portal configuration during the SSL handshake.
(Optional) Client certificate
Used to enable mutual authentication in establishing an HTTPS session between the GlobalProtect agents and the gateways/portal. This ensures that only devices with valid client certificates are able to authenticate and connect to the network.
  • For simplified deployment of client certificates, configure the portal to deploy the client certificate to the agents upon successful login using either of the following methods:
    • Use a single client certificate across all GlobalProtect agents that receive the same configuration. You assign the Local client certificate by uploading the certificate to the portal and selecting it in a portal agent configuration.
    • Use simple certificate enrollment protocol (SCEP) to enable the GlobalProtect portal to deploy unique client certificates to your GlobalProtect agents. You enable this by configuring a SCEP profile and then selecting that profile in a portal agent configuration.
  • Use one of the following supported digest algorithms when you generate client certificates for GlobalProtect endpoints: sha1, sha256, or sha384. Sha512 is not supported with client certificates.
  • You can use other mechanisms to deploy unique client certificates to each client system for use in authenticating the end user.
  • Consider testing your configuration without the client certificate first, and then add the client certificate after you are sure that all other configuration settings are correct.
(Optional) Machine certificates
A machine certificate is a client certificate that is issued to a device. Each machine certificate identifies the device in the subject field (for example, CN=laptop1.example.com) instead of a user. The certificate ensures that only trusted endpoints can connect to gateways or the portal. Machine certificates are required for users whose connect method is pre-logon, which enables GlobalProtect to establish a VPN tunnel before the user logs in.
  • Use one of the following supported digest algorithms when you generate client certificates for GlobalProtect endpoints: sha1, sha256, or sha384. Sha512 is not supported with client certificates.
  • If you plan to use the pre-logon feature, use your own PKI infrastructure to deploy machine certificates to each client system prior to enabling GlobalProtect access. This approach is important for ensuring security.
    For more information, see Remote Access VPN with Pre-Logon.
For details about the types of keys for secure communication between the GlobalProtect endpoint and the portals and gateways, see Reference: GlobalProtect Agent Cryptographic Functions.

Related Documentation