Deploy Client Certificates to the GlobalProtect Satellites
As an alternative method for deploying client
certificates to satellites, you can configure your GlobalProtect portal
to act as a Simple Certificate Enrollment Protocol (SCEP) client
to a SCEP server in your enterprise PKI. SCEP operation is dynamic
in that the enterprise PKI generates a certificate when the portal
requests it and sends the certificate to the portal.
the satellite device requests a connection to the portal or gateway,
it also includes its serial number with the connection request.
The portal submits a CSR to the SCEP server using the settings in
the SCEP profile and automatically includes the serial number of
the device in the subject of the client certificate. After receiving
the client certificate from the enterprise PKI, the portal transparently
deploys the client certificate to the satellite device. The satellite
device then presents the client certificate to the portal or gateway
Create a SCEP profile.
a new profile.
to identify the
If this profile is for a firewall with multiple virtual
systems capability, select a virtual system or
where the profile is available.
) To make the SCEP-based certificate
generation more secure, configure a SCEP challenge-response mechanism
between the PKI and portal for each certificate request.
After you configure this mechanism, its operation is invisible,
and no further input from you is necessary.
To comply with the U.S. Federal Information Processing Standard (FIPS), use a