Deploy Shared Client Certificates for Authentication

To confirm that an endpoint user belongs to your organization, you can use the same client certificate for all endpoints or generate separate certificates to deploy with a particular agent configuration. Use this workflow to issue self-signed client certificates for this purpose and deploy them from the portal.
  1. Generate a certificate to deploy to multiple GlobalProtect clients.
    1. Create the root CA certificate for issuing self-signed certificates for the GlobalProtect components.
    2. Select DeviceCertificate ManagementCertificatesDevice Certificates and then click Generate.
    3. Use the Local certificate type (the default).
    4. Enter a Certificate Name. This name cannot contain spaces.
    5. In the Common Name field enter a name to identify this certificate as an agent certificate, for example GP_Windows_clients. Because this same certificate will be deployed to all agents using the same configuration, it does not need to uniquely identify a specific user or endpoint.
    6. In the Signed By field, select your root CA.
    7. Select an OCSP Responder to verify the revocation status of certificates.
    8. Click OK to generate the certificate.
  2. Set Up Two-Factor Authentication.
    Configure authentication settings in a GlobalProtect portal agent configuration to enable the portal to transparently deploy the client certificate that is Local to the firewall to clients that receive the configuration.

Related Documentation