GlobalProtect Certificate Best Practices
The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use:
Issuing Process/Best Practices
Used to sign certificates issued to the GlobalProtect components.
If you plan on using self-signed certificates, we recommend that you generate a CA certificate on the portal, and then use that certificate to issue the required GlobalProtect certificates.
Portal server certificate
Enables GlobalProtect apps to establish an HTTPS connection with the portal.
Gateway server certificate
Enables GlobalProtect apps to establish an HTTPS connection with the gateway.
Optional) Client certificate
Used to enable mutual authentication when establishing an HTTPS session between the GlobalProtect apps and the gateways/portal. This ensures that only endpoints with valid client certificates are able to authenticate and connect to the network.
Optional) Machine certificates
A machine certificate is a client certificate that is issued to an endpoint. Each machine certificate identifies the endpoint in the subject field (for example, CN=laptop1.example.com) instead of the user. The certificate ensures that only trusted endpoints can connect to gateways or the portal.
Machine certificates are required for users configured with the pre-logon connect method
Table: GlobalProtect Certificate Requirements
For details about the types of keys for secure communication between the GlobalProtect endpoint and the portals and gateways, see Reference: GlobalProtect App Cryptographic Functions.