1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. GlobalProtect Features
    5. Certificate Selection by OID
    Previous
    Next
    To improve the certificate selection process when multiple certificates exist on Windows or Mac endpoints, you can now specify the object identifier (OID) as a requirement for selection.
    An OID is a numeric value that identifies the application or service for which a certificate is used. When the certificate authority (CA) creates the certificate, the CA automatically includes the OID in the Enhanced Key Usage field.
    :
    When you create the certificate, you can specify the OID to identify the certificate’s purpose. Some of the most commonly used OIDs are:
    1.3.6.1.5.5.7.3.1—Server Authentication 1.3.6.1.5.5.7.3.2—Client Authentication (default match criteria) 1.3.6.1.5.5.7.3.3—Code Signing 1.3.6.1.5.5.7.3.4—Email Protection 1.3.6.1.5.5.7.3.5—IPSec End System 1.3.6.1.5.5.7.3.6—IPSec Tunnel 1.3.6.1.5.5.7.3.7—IPSec User 1.3.6.1.5.5.7.3.8—Time Stamping 1.3.6.1.5.5.7.3.9—OCSP Signing
    For example, say you have four client certificates but the one you want your users to select also specifies an OID such as 1.3.6.1.5.5.7.3.1 which specifies a Server Authentication purpose. Rather than allow the GlobalProtect agent to present all four client certificates to the user, you can specify the Extended Key Usage OID in the appropriate GlobalProtect portal agent configuration.
    By default, GlobalProtect automatically filters the certificates for those that specify a Client Authentication purpose so it is not necessary to specify the OID associates with Client Authentication. Note that if multiple client certificates specify the matching OID, GlobalProtect will prompt the user to select the client certificate from the filtered list.
    		GlobalProtect uses only the Extended Key Usage OID field of the certificate and does not evaluate any other certificate fields such as Subject Name to determine whether to present the certificates. Note that the Extended Key Usage OID value is different from the Certificate Template Information OID. For other certificate selection requirements, see How Does the GlobalProtect Agent Know Which Certificate to Supply?.
    To configure the OID as a requirement for certificate selection:
    Configure Certificate Selection by OID
    ( Optional ) Create or edit the client certificate and note the associated OID. Open the Certificate Templates snap-in. In the Details pane, create or edit the certificate template you want to modify, and then click Properties. On the Extensions tab, select Application Policies > Edit. In the Edit Application Policies Extension dialog box, click Add. In Add Application Policy, ensure that the application you are creating does not exist, and then click New. In the New Application Policy dialog box, provide the name for the new application policy (for example GlobalProtect Authentication). Note the generated object identifier, and then click OK.
    Specify the certificate’s object identifier (OID) in the Extended Key Usage OID field as part of the appropriate GlobalProtect portal agent configuration.
    Previous
    Next

    Related Documentation

    How Does the Agent Know Which Certificate to Supply?

    How Does the Agent Know Which Certificate to Supply? When you configure GlobalProtect to use client certificates for authentication on Mac or Windows endpoints, GlobalProtect ...

    Network > GlobalProtect > Portals

    Network > GlobalProtect > Portals Select Network > GlobalProtect > Portals to set up and manage a GlobalProtect™ portal. The portal provides the management functions ...

    Dynamic GlobalProtect App Customization

    Dynamic GlobalProtect App Customization You can now view all agent customization options and configure them from the new App tab in a GlobalProtect portal agent ...

    GlobalProtect Features

    GlobalProtect Features New GlobalProtect Feature Description GlobalProtect App for Chrome OS The new GlobalProtect app for Chrome OS is now available for Chromebooks running Chrome ...

    Customize the GlobalProtect Agent

    Customize the GlobalProtect Agent The portal agent configuration allows you to customize how your end users interact with the GlobalProtect agents installed on their systems ...

    Support for 4,096-bit RSA Certificates

    Support for 4,096-bit RSA Certificates The firewall and Panorama now support RSA certificates with 4,096-bit keys, which are more secure than smaller keys. You can ...

    Device > Certificate Management > Certificates

    Device > Certificate Management > Certificates Select Device > Certificate Management > Certificates > Device Certificates to manage (generate, import, renew, delete, and revoke) certificates, ...

    Certificate Deployment

    Certificate Deployment The basic approaches to deploy certificates for Palo Alto Networks firewalls or Panorama are: Obtain certificates from a trusted third-party CA —The benefit ...

    Deploy Machine Certificates for Authentication

    Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...

    Deploy Server Certificates to the GlobalProtect Components

    Deploy Server Certificates to the GlobalProtect Components The following workflow shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo