Hardware reference guide
20 GlobalProtect Administrator’s Guide
Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure
Set Up Client Certificate Authentication
Step 1 Issue client certificates to GlobalProtect
users/machines.
The method for issuing client certificates
depends on how you are using client
authentication:
• To authenticate individual users—
You must issue a unique client
certificate to each GlobalProtect user
and deploy them to the client systems
prior to enabling GlobalProtect.
• To validate that the client system
belongs to your organization—Use
your own public-key infrastructure
(PKI) to issue and distribute machine
certificates to each client system
(recommended) or generate a
self-signed machine certificate for
export. This is required for pre-logon.
This option requires that you also
configure an authentication profile in
order to authenticate the user. See
Two-factor authentication.
• To validate that a user belongs to
your organization—In this case you
can use a single client certificate for all
agents, or generate separate certificates
for to be deployed with a particular
client configuration. Use the procedure
in this step to issue self-signed client
certificates for this purpose.
To issue unique certificates for individual clients or machines, use
your enterprise CA or a public CA. However, if you want to use client
certificates to validate that the user belongs to your organization,
generate a self-signed client certificate as follows:
1. Create the root CA certificate for issuing self-signed certificates
for the GlobalProtect components.
2. Select
Device > Certificate Management > Certificates >
Device Certificates
and then click Generate.
3. Enter a
Certificate Name. The certificate name cannot contain
any spaces.
4. In the
Common Name field enter a name to identify this
certificate as an agent certificate, for example
GP_Windows_clients. Because this same certificate will be
deployed to all agents using the same configuration, it does not
need to uniquely identify a specific end user or system.
5. (Optional) In the Certificate Attributes section, click
Add and
define the attributes to identify the GlobalProtect clients as
belonging to your organization if required as part of your
security requirements.
6. In the
Signed By field, select your root CA.
7. Click
OK to generate the certificate.