To improve the certificate selection process when multiple certificates exist on Windows or Mac endpoints, you can now specify the object identifier (OID) as a requirement for selection.
An OID is a numeric value that identifies the application or service for which a certificate is used. When the certificate authority (CA) creates the certificate, the CA automatically includes the OID in the Enhanced Key Usage field.
:
When you create the certificate, you can specify the OID to identify the certificate’s purpose. Some of the most commonly used OIDs are:
1.3.6.1.5.5.7.3.1—Server Authentication 1.3.6.1.5.5.7.3.2—Client Authentication (default match criteria) 1.3.6.1.5.5.7.3.3—Code Signing 1.3.6.1.5.5.7.3.4—Email Protection 1.3.6.1.5.5.7.3.5—IPSec End System 1.3.6.1.5.5.7.3.6—IPSec Tunnel 1.3.6.1.5.5.7.3.7—IPSec User 1.3.6.1.5.5.7.3.8—Time Stamping 1.3.6.1.5.5.7.3.9—OCSP Signing
For example, say you have four client certificates but the one you want your users to select also specifies an OID such as 1.3.6.1.5.5.7.3.1 which specifies a Server Authentication purpose. Rather than allow the GlobalProtect agent to present all four client certificates to the user, you can specify the Extended Key Usage OID in the appropriate GlobalProtect portal agent configuration.
By default, GlobalProtect automatically filters the certificates for those that specify a Client Authentication purpose so it is not necessary to specify the OID associates with Client Authentication. Note that if multiple client certificates specify the matching OID, GlobalProtect will prompt the user to select the client certificate from the filtered list.
GlobalProtect uses only the Extended Key Usage OID field of the certificate and does not evaluate any other certificate fields such as Subject Name to determine whether to present the certificates. Note that the Extended Key Usage OID value is different from the Certificate Template Information OID. For other certificate selection requirements, see How Does the GlobalProtect Agent Know Which Certificate to Supply?.
To configure the OID as a requirement for certificate selection:
Configure Certificate Selection by OID
( Optional ) Create or edit the client certificate and note the associated OID. Open the Certificate Templates snap-in. In the Details pane, create or edit the certificate template you want to modify, and then click Properties. On the Extensions tab, select Application Policies > Edit. In the Edit Application Policies Extension dialog box, click Add. In Add Application Policy, ensure that the application you are creating does not exist, and then click New. In the New Application Policy dialog box, provide the name for the new application policy (for example GlobalProtect Authentication). Note the generated object identifier, and then click OK.
Specify the certificate’s object identifier (OID) in the Extended Key Usage OID field as part of the appropriate GlobalProtect portal agent configuration.

Related Documentation