Configure the Subject to include identifying
information about the device and optionally user and provide this
information in the certificate signing request (CSR) to the SCEP
server. When used to request client certificates for endpoints,
the endpoint sends identifying information about the device that includes
its host ID value. The host ID value varies by device type, either
GUID (Windows) MAC address of the interface (Mac), Android ID (Android
devices), UDID (iOS devices), or a unique name that GlobalProtect
assigns (Chrome). When used to request certificates for satellite
devices, the host ID value is the device serial number. To
specify additional information in the CSR, enter the Subject name.
The subject must be a distinguished name in the <attribute>=<value> format
and must include the common name (CN) key. For example: O=acme,CN=acmescep There are
two ways to specify the CN: (Recommended) Token-based
CN—Enter one of the supported tokens $USERNAME, $EMAILADDRESS,
or $HOSTID. Use the username or email address
variable to ensure that the portal requests certificates for a specific
user. To request certificates for the device only, specify the hostid
variable. When the GlobalProtect portal pushes the SCEP settings to
the agent, the CN portion of the subject name is replaced with the
actual value (username, hostid, or email address) of the certificate
owner. For example:
O=acme,CN=$HOSTID O=acme,CN=acmescep |