https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-machine-device-cert-for-portal-and-gateway-quot/m-p/587882#M5386 <P>Hello,</P> <P>Yes, you can use your Windows CA server for GlobalProtect certificates. To do this, create a certificate template on your Windows CA for machine certificates, then use Group Policy to auto-enroll these certificates to all relevant PCs. Export the subordinate CA certificate from your Windows CA and import it into your Palo&nbsp;<A href="https://www-adpvantage.com/" target="_self">ADPVantage</A> Alto firewall as a trusted root CA. Configure the certificate profile on the GlobalProtect portal and gateway to use the certificates signed by the Windows CA. This method leverages existing trust within your domain and simplifies certificate deployment.</P> Sat, 25 May 2024 04:23:02 GMT kurdt784 2024-05-25T04:23:02Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-machine-device-cert-for-portal-and-gateway-quot/m-p/587830#M5385 <P>I have successfully configured a working POC for exactly how I want our users to connect to Globalprotect.</P> <P>&nbsp;</P> <P>We have a SAML authentication profile configured for both the Portal and Gateway each each with the same certificate profile configured.&nbsp;</P> <P>&nbsp;</P> <P>I created the "machinecert" using the firewall as a CA and manually installed the cert.</P> <P>&nbsp;</P> <P>When it comes time to mass deploy the cert, I'm unsure of which method to choose as I don't know all the pros/cons. It should suffice to simply use a GPO and install the machinecert on all PCs.</P> <P>&nbsp;</P> <P>But it also seems like it may be a better idea to use the Windows CA server we already have. For the SSL decryption we used that server to create a subordinate CA authority and when we imported that certificate to the Palo Alto we were able to then used a certificate signed by the subordinate certificate and it was inherently trusted by all of our Windows PCs since they were part of the domain. This way, we didn't need to push out any kind of certificate.</P> <P>&nbsp;</P> <P>So my question is if I can also use the Windows CA server in a similar way to be used for the certificate profile? If yes, I have not come across a guide specific to this.&nbsp;</P> Thu, 23 May 2024 21:00:09 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-machine-device-cert-for-portal-and-gateway-quot/m-p/587830#M5385 asiewert 2024-05-23T21:00:09Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-machine-device-cert-for-portal-and-gateway-quot/m-p/587882#M5386 <P>Hello,</P> <P>Yes, you can use your Windows CA server for GlobalProtect certificates. To do this, create a certificate template on your Windows CA for machine certificates, then use Group Policy to auto-enroll these certificates to all relevant PCs. Export the subordinate CA certificate from your Windows CA and import it into your Palo&nbsp;<A href="https://www-adpvantage.com/" target="_self">ADPVantage</A> Alto firewall as a trusted root CA. Configure the certificate profile on the GlobalProtect portal and gateway to use the certificates signed by the Windows CA. This method leverages existing trust within your domain and simplifies certificate deployment.</P> Sat, 25 May 2024 04:23:02 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-machine-device-cert-for-portal-and-gateway-quot/m-p/587882#M5386 kurdt784 2024-05-25T04:23:02Z