- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-20-2021 05:20 AM
I'm testing this and have questions...
Where exactly is the root certificate stored on Windows and Mac when 'Install in local root certificate store' is selected under the agent configuration?
My understanding is that the firewall pushes the root-ca down to the client upon connecting. I can't see any new certificates added in Keychain on Mac or via mmc on Windows.
Also would this be considered a less secure option because you are pushing down a root certificate to the endpoint meaning that they only require a correct username and password to connect.
05-20-2021 05:55 AM
On Windows this is stored under the user's certificate store under Trusted Root Certificates. On macOS you'll be able to find it under the System certificates in keychain.
@GeorgePalo wrote:Also would this be considered a less secure option because you are pushing down a root certificate to the endpoint meaning that they only require a correct username and password to connect.
Are you using the certificates that you are trying to push as part of your authentication process, because if you are I wouldn't it. We push down our root and intermediate certificates so that users on a BYOD endpoint can navigate to any of our allowed internal resources without certificate errors and so they don't have to manually install our certs. You can have them connect to GlobalProtect and they're automatically ready to access internal websites ect.
05-20-2021 05:55 AM
On Windows this is stored under the user's certificate store under Trusted Root Certificates. On macOS you'll be able to find it under the System certificates in keychain.
@GeorgePalo wrote:Also would this be considered a less secure option because you are pushing down a root certificate to the endpoint meaning that they only require a correct username and password to connect.
Are you using the certificates that you are trying to push as part of your authentication process, because if you are I wouldn't it. We push down our root and intermediate certificates so that users on a BYOD endpoint can navigate to any of our allowed internal resources without certificate errors and so they don't have to manually install our certs. You can have them connect to GlobalProtect and they're automatically ready to access internal websites ect.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!