https://live.paloaltonetworks.com/t5/general-topics/adding-multiple-client-certificate-in-linux-gp-agent/m-p/336833#M84894 <P>Hi Community,</P><P>&nbsp;</P><P>I have a requirement to add multiple client certificate into Linux GP config. Usually, whe we put 'globalprotect import-certificate --location &lt;cert_location&gt;', the existing client cert will be overridden with the new one and it will be imported as <SPAN>pan_client_cert.pfx under&nbsp;</SPAN>/opt/paloaltonetworks/globalprotect .. Is there a way to keep both instead of override, so that i can use different client certificates while connecting to different portals. In windows, as it is taking from windows personal store, it will be discrete and we wont face this issue.</P><P>&nbsp;</P><P>Anybody have any idea to achieve this ?.. or can we combine different .p12 files to single .pfx ?,&nbsp;</P><P>I am looking for some options other than adding both CAs in certificate profile</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P> Tue, 07 Jul 2020 10:54:09 GMT Abdul_Razaq 2020-07-07T10:54:09Z https://live.paloaltonetworks.com/t5/general-topics/adding-multiple-client-certificate-in-linux-gp-agent/m-p/336833#M84894 <P>Hi Community,</P><P>&nbsp;</P><P>I have a requirement to add multiple client certificate into Linux GP config. Usually, whe we put 'globalprotect import-certificate --location &lt;cert_location&gt;', the existing client cert will be overridden with the new one and it will be imported as <SPAN>pan_client_cert.pfx under&nbsp;</SPAN>/opt/paloaltonetworks/globalprotect .. Is there a way to keep both instead of override, so that i can use different client certificates while connecting to different portals. In windows, as it is taking from windows personal store, it will be discrete and we wont face this issue.</P><P>&nbsp;</P><P>Anybody have any idea to achieve this ?.. or can we combine different .p12 files to single .pfx ?,&nbsp;</P><P>I am looking for some options other than adding both CAs in certificate profile</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P> Tue, 07 Jul 2020 10:54:09 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-multiple-client-certificate-in-linux-gp-agent/m-p/336833#M84894 Abdul_Razaq 2020-07-07T10:54:09Z https://live.paloaltonetworks.com/t5/general-topics/adding-multiple-client-certificate-in-linux-gp-agent/m-p/336852#M84898 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/101029">@Abdul_Razaq</a>,</P><P>&nbsp;</P><P>As far as I know there is a technical possibility to include multiple certificate chains and private keys in a PKCS #12 archive however it is not something widely implemented.</P><P>&nbsp;</P><P>I see GlobalProtect App for Linux as an open-beta and assume what you require is beyond its abilities. Even basic verification of imported certificate is not performed:</P><LI-CODE lang="markup">$ globalprotect import-certificate --location /dev/zero Please input passcode: Import certificate is successful.</LI-CODE><P>&nbsp;</P><P>I would explore alternative VPN Client - OpenConnect. It claims compatibility with GlobalProtect: <A href="https://www.infradead.org/openconnect/globalprotect.html" target="_blank">https://www.infradead.org/openconnect/globalprotect.html</A></P><P>Certificate for authentication is provided as command-line argument (<A href="https://www.infradead.org/openconnect/manual.html" target="_blank">https://www.infradead.org/openconnect/manual.html</A>&nbsp;- -c,--certificate=CERT) so it can be easily selected per Portal/Gateway.</P><P>&nbsp;</P><P>Not sure it will satisfy your other requirements, and it is a 3-rd party application introduction into environment, but might work.</P><P>Getting in touch with your SE to rise a Feature Request and wait like Sleeping Beauty for it to be kissed by a PM-Prince is also an option <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 07 Jul 2020 14:52:29 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-multiple-client-certificate-in-linux-gp-agent/m-p/336852#M84898 Retired Member 2020-07-07T14:52:29Z