Enable Certificate Selection Based on OID

Where Can I Use This?	What Do I Need?
NGFW (managed by Panorama or Strata Cloud Manager) Prisma Access (managed by Panorama or Strata Cloud Manager)	GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription

If you deploy multiple certificates to your end user devices for distinct use cases--for example machine certificates, user certificates, and email encryption certificates all issued by the same certificate authority--it can be difficult to distinguish which certificate to use in which use case. To help with this, you can designate a specific object identifier (OID) that you want GlobalProtect to use to identify which certificate to use. This simplifies and improves the certificate selection process when your macOS or Windows endpoints have multiple certificates installed.

An OID is a numeric value that identifies the application or service for which a certificate is used. When the certificate authority (CA) creates the certificate, the CA automatically includes the OID in the Enhanced Key Usage field.

When you create the certificate, you can specify the OID to identify the certificate’s purpose. By default, GlobalProtect automatically filters the certificates for those that specify a Client Authentication purpose (OID 1.3.6.1.5.5.7.3.2) so it is not necessary to specify the OID associated with Client Authentication. However, if you want to use a different OID to distinguish the certificate you want GlobalProtect to select, you can specify a different certificate usage when you create the certificate and then instruct GlobalProtect to select the certificate with the corresponding OID. Some of the most commonly used OIDs are:

• 1.3.6.1.5.5.7.3.1—Server Authentication
• 1.3.6.1.5.5.7.3.3—Code Signing
• 1.3.6.1.5.5.7.3.4—Email Protection
• 1.3.6.1.5.5.7.3.5—IPSec End System
• 1.3.6.1.5.5.7.3.6—IPSec Tunnel
• 1.3.6.1.5.5.7.3.7—IPSec User
• 1.3.6.1.5.5.7.3.8—Time Stamping
• 1.3.6.1.5.5.7.3.9—OCSP Signing

For example, say your endpoints have four client certificates installed, but the one you want your users to select has the OID 1.3.6.1.5.5.7.3.1. Rather than having the GlobalProtect app to present all four client certificates to the user, you can specify the Extended Key Usage OID in the GlobalProtect portal app configuration for the users whose endpoints have multiple client certificates. Keep in mind that if multiple client certificates on the endpoint have the matching OID, GlobalProtect will prompt the user to select the client certificate from the filtered list.

GlobalProtect uses only the Extended Key Usage OID field of the certificate and does not evaluate any other certificate fields such as Subject Name to determine whether to present the certificates. Note that the Extended Key Usage OID value is different from the Certificate Template Information OID. For other certificate selection requirements, see How Does the App Know Which Certificate to Supply?

To configure the OID as a requirement for certificate selection:

1. (Optional) Create or edit the client certificate and note the associated OID.

   1. Open the Certificate Templates snap-in.
   2. In the Details pane, create or edit the certificate template you want to modify, and then click Properties.
   3. On the Extensions tab, select Application PoliciesEdit.
   4. In the Edit Application Policies Extension dialog box, click Add.
   5. In Add Application Policy, ensure that the application you are creating does not exist, and then click New.
   6. In the New Application Policy dialog box, provide the name for the new application policy (for example GlobalProtect Authentication).
   7. Note the generated object identifier, and then click OK.
2. Specify the certificate’s object identifier (OID) in the Extended Key Usage OID field as part of the appropriate GlobalProtect portal app configuration.