With certificate authentication, the user
must present a valid client certificate that identifies them to
the GlobalProtect portal or gateway. To verify that a client certificate
is valid, the portal or gateway checks if the client holds the private
key of the certificate by using the Certificate Verify message exchanged during
the SSL handshake. In addition, the client certificate is signed
by the certificate authority (CA) specified in the
Issuer
field
of the certificate chain. In addition to the certificate itself,
the portal or gateway can use a certificate profile to determine
whether the user that sent the certificate is the user to which
the certificate was issued.