topic Re: certificate format from CA to clients and GP in GlobalProtect Discussions

certificate format from CA to clients and GP

FWPalolearner — Thu, 17 Sep 2020 20:46:29 GMT

Hello Team

Our GP is running with users authenticating via AD account

Now we are rolling out Machine certificate via Group Policy from our Microsoft CA server to all the Domain clients

and then the goal is to enable certificate check in addition to AD authentication for Global protect corporate users

My question is when Microsoft CA issues certifciate , in which format they get stored on user machine - PKCS or pfix ; how to check ?

Do GP support all the formats ? this is important because this is huge rollout of 1000 CLIENTS

Re: certificate format from CA to clients and GP

BPry — Fri, 18 Sep 2020 04:30:53 GMT

@FWPalolearner,

As long as the certificate is imported into the machine store and GlobalProtect is configured to search the machine store this will work perfectly fine. Keep in mind that windows will generally keep anything with a private key in PFX format, but really all PFX means is that it's using PKCS#12. This is really easy to deploy, and as long as you have the certificate in the machine store and the firewall has a properly configured certificate profile assigned it'll "just work".

The only gotcha that you should keep in mind with this change is that by default the agent option is set to search both the machine and user certificate stores. If you aren't setup to handle users will user certificates, you'll want to ensure that you have the agent configured to look solely at the machine store.

Re: certificate format from CA to clients and GP

FWPalolearner — Fri, 18 Sep 2020 06:46:20 GMT

@BPry Thanks a lot .

Any way to check what is the format ?

I believe all certificates are X.509

these PKCS or PFX are file format