There are two basic approaches to deploying certificates
for GlobalProtect LSVPN:
Enterprise Certificate Authority
—If you already
have your own enterprise certificate authority, you can use this internal
CA to issue an intermediate CA certificate for the GlobalProtect
portal to enable it to issue certificates to the GlobalProtect gateways
and satellites. You can also configure the GlobalProtect portal
to act as a Simple Certificate Enrollment Protocol (SCEP) client
to issue client certificates to GlobalProtect satellites.
—You can generate a self-signed
root CA certificate on the firewall and use it to issue server certificates
for the portal, gateway(s), and satellite(s). As a best practice,
create a self-signed root CA certificate on the portal and use it
to issue server certificates for the gateways and satellites. This
way, the private key used for certificate signing stays on the portal.