certificate format from CA to clients and GP

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

certificate format from CA to clients and GP

Hello Team

 

Our GP is running with users authenticating via AD account

 

Now we are rolling out Machine certificate via Group Policy from our Microsoft CA server to all the Domain clients

 

and then the goal is to enable certificate check in addition to AD authentication for Global protect corporate users

 

My question is when Microsoft CA issues certifciate , in which format they get stored on user machine - PKCS or pfix ; how to check ?

 

Do GP support all the formats ?    this is important because this is huge rollout of 1000 CLIENTS

Highlighted
Cyber Elite

@FWPalolearner,

As long as the certificate is imported into the machine store and GlobalProtect is configured to search the machine store this will work perfectly fine. Keep in mind that windows will generally keep anything with a private key in PFX format, but really all PFX means is that it's using PKCS#12. This is really easy to deploy, and as long as you have the certificate in the machine store and the firewall has a properly configured certificate profile assigned it'll "just work". 

 

The only gotcha that you should keep in mind with this change is that by default the agent option is set to search both the machine and user certificate stores. If you aren't setup to handle users will user certificates, you'll want to ensure that you have the agent configured to look solely at the machine store. 

Highlighted
L3 Networker

@BPry  Thanks a lot .

 

Any way to check what is the format ?

I believe all certificates are X.509

 

these PKCS or PFX are file format

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!