- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-25-2023 02:24 PM
The issue is that we are about to replace our Issuing Intermediate Root Certificate (IIRC) in our PKI chain with a new one due to expiration on December 15th. Right now we configure laptops we sent out to remote users with the special registry key settings in GlobalProtect to allow the "pre-logon" user, and to pre-define a specific portal to use. So users receive their laptops at home, connect to their home wifi, and globalprotect makes logging in behind our firewall seamless. Great!
What is worrying me is what will happen when we put the new Intermediate certificate into production, is what is depicted here in this LiveCommunity thread. Obviously, our IIRC will have the same Issuing CA for it - the offline root server. Which means that the first bullet point here will be an issue - the new client certificates that our Windows PKI environment will start issuing for clients immediately after we replace the IIRC with the new one (typical domain joined computer behavior), will mean that within a day or two of replacing the IIRC, remote client computers will have two unexpired, essentially identical (same OID in the enhanced key usage field, so we can't use the OID filter method to force GlobalProtect to choose one certificate) certificates on them.
My concern is that GlobalProtect will see the two valid client certificates, one with a validity ending on December 15th, and one with our defined one year expiration date from the date we do the IIRC replacement, and then try to prompt the pre-logon user account to select which certificate to use, as shown in my first link above. Of course the pre-logon user will not be able to select which certificate to use, which means that my users will not be able to have the seamless logon experience.
So my question is - how on either GlobalProtect settings, or Portal settings, can I make sure that if a GlobalProtect client has two valid certificates that could be used, that it is forced to pick the one with the farther-out expiration date, and not try to prompt the user (or the pre-logon user, which would be worse) to select a certificate, if enhanced key usage field on client certificates are the same?
Or more generally, how can I simply accomplish my goal of wanting remote users with never-logged-into, freshly shipped laptops to be able to power on, join home network, get behind-the-scenes-"pre-logged-in" to GlobalProtect, sign into Windows with their Active Directory credentials, and get to work?