Install in local root certificate store

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Install in local root certificate store

L2 Linker

I'm testing this and have questions...

 

Where exactly is the root certificate stored on Windows and Mac when 'Install in local root certificate store' is selected under the agent configuration?

 

My understanding is that the firewall pushes the root-ca down to the client upon connecting. I can't see any new certificates added in Keychain on Mac or via mmc on Windows.

 

Also would this be considered a less secure option because you are pushing down a root certificate to the endpoint meaning that they only require a correct username and password to connect.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@GeorgePalo,

On Windows this is stored under the user's certificate store under Trusted Root Certificates. On macOS you'll be able to find it under the System certificates in keychain.

 


@GeorgePalo wrote:

Also would this be considered a less secure option because you are pushing down a root certificate to the endpoint meaning that they only require a correct username and password to connect.


Are you using the certificates that you are trying to push as part of your authentication process, because if you are I wouldn't it. We push down our root and intermediate certificates so that users on a BYOD endpoint can navigate to any of our allowed internal resources without certificate errors and so they don't have to manually install our certs. You can have them connect to GlobalProtect and they're automatically ready to access internal websites ect.

View solution in original post

1 REPLY 1

Cyber Elite
Cyber Elite

@GeorgePalo,

On Windows this is stored under the user's certificate store under Trusted Root Certificates. On macOS you'll be able to find it under the System certificates in keychain.

 


@GeorgePalo wrote:

Also would this be considered a less secure option because you are pushing down a root certificate to the endpoint meaning that they only require a correct username and password to connect.


Are you using the certificates that you are trying to push as part of your authentication process, because if you are I wouldn't it. We push down our root and intermediate certificates so that users on a BYOD endpoint can navigate to any of our allowed internal resources without certificate errors and so they don't have to manually install our certs. You can have them connect to GlobalProtect and they're automatically ready to access internal websites ect.

  • 1 accepted solution
  • 3516 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!