- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-17-2020 01:46 PM
Hello Team
Our GP is running with users authenticating via AD account
Now we are rolling out Machine certificate via Group Policy from our Microsoft CA server to all the Domain clients
and then the goal is to enable certificate check in addition to AD authentication for Global protect corporate users
My question is when Microsoft CA issues certifciate , in which format they get stored on user machine - PKCS or pfix ; how to check ?
Do GP support all the formats ? this is important because this is huge rollout of 1000 CLIENTS
09-17-2020 09:30 PM
As long as the certificate is imported into the machine store and GlobalProtect is configured to search the machine store this will work perfectly fine. Keep in mind that windows will generally keep anything with a private key in PFX format, but really all PFX means is that it's using PKCS#12. This is really easy to deploy, and as long as you have the certificate in the machine store and the firewall has a properly configured certificate profile assigned it'll "just work".
The only gotcha that you should keep in mind with this change is that by default the agent option is set to search both the machine and user certificate stores. If you aren't setup to handle users will user certificates, you'll want to ensure that you have the agent configured to look solely at the machine store.
09-17-2020 11:46 PM
@BPry Thanks a lot .
Any way to check what is the format ?
I believe all certificates are X.509
these PKCS or PFX are file format
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!