Hardware reference guide
GlobalProtect Administrator’s Guide 13
Set Up the GlobalProtect Infrastructure Enable SSL Between GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components
The following workflow shows the best practice steps for deploying SSL certificates to the GlobalProtect
components:
Deploy SSL Server Certificates to the GlobalProtect Components
• Import a server certificate from a well-known,
third-party CA.
Use a server certificate from a well-known,
third-party CA for the GlobalProtect
portal and Mobile Security Manager. This
ensures that the end clients will be able to
establish an HTTPS connection without
receiving certificate warnings.
The Common Name (CN) and, if
applicable, the Subject Alternative Name
(SAN) fields of the certificate must match
the fully qualified domain name (FQDN)
or IP address or of the interface where you
plan to configure the portal and/or the
device check-in interface on the Mobile
Security Manager. Wildcard matches are
supported.
To import a certificate and private key from a public CA, make sure
the certificate and key files are accessible from your management
system and that you have the passphrase to decrypt the private key
and then complete the following steps:
1. Select
Device > Certificate Management > Certificates >
Device Certificates
.
2. Click
Import and enter a Certificate Name.
3. Enter the path and name to the
Certificate File received from
the CA, or
Browse to find the file.
4. Select
Encrypted Private Key and Certificate (PKCS12) as the
File Format.
5. Select the
Import private key check box.
6. Enter the path and name to the PKCS#12 file in the
Key File
field or
Browse to find it.
7. Enter and re-enter the
Passphrase that was used to encrypt the
private key and then click
OK to import the certificate and key.
• Create the root CA certificate for issuing
self-signed certificates for the GlobalProtect
components.
Create the Root CA certificate on the
portal and use it to issue server certificates
for the gateways and optionally for clients.
To use self-signed certificates, you must first create the root CA
certificate that will be used to sign the certificates for the
GlobalProtect components as follows:
1. To create a root CA certificate, select
Device > Certificate
Management > Certificates > Device Certificates
and then
click
Generate.
2. Enter a
Certificate Name, such as GlobalProtect_CA. The
certificate name cannot contain any spaces.
3. Do not select a value in the
Signed By field (this is what
indicates that it is self-signed).
4. Select the
Certificate Authority check box and then click OK to
generate the certificate.