Hardware reference guide
22 GlobalProtect Administrator’s Guide
Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure
Step 3 Verify that the certificate has been added
to the personal certificate store.
Look to see that the certificate you just installed is there.
Step 4 Import the root CA certificate used to
issue the client certificates onto the
firewall.
This step is only required if the client
certificates were issued by an external CA,
such as a public CA or an enterprise PKI
CA. If you are using self-signed
certificates, the root CA is already trusted
by the portal/gateway.
1. Download the root CA certificate used to issue the client
certificates (Base64 format).
2. Import the root CA certificate from the CA that generated the
client certificates onto the firewall:
a. Select
Device > Certificate Management > Certificates >
Device Certificates
and click Import.
b. Enter a
Certificate Name that identifies the certificate as
your client CA certificate.
c.
Browse to the Certificate File you downloaded from the
CA.
d. Select
Base64 Encoded Certificate (PEM) as the File Format
and then click
OK.
e. Select the certificate you just imported on the
Device
Certificates
tab to open it.
f. Select
Trusted Root CA and then click OK.
Step 5 Create a client certificate profile.
Note If you setting up the portal and/or
gateway for two-factor authentication, the
username from the client certificate will
be used as the username when
authenticating the user to your external
authentication service. This ensures that
the user who is logging is in is actually the
user to whom the certificate was issued.
1. Select
Device > Certificates > Certificate Management >
Certificate Profile
and click Add and enter a profile Name.
2. Select a value for the
Username Field to specify which field in
the certificate will contain the user’s identity information.
3. In the
CA Certificates field, click Add, select the Trusted Root
CA certificate you imported in Step 4 and then click
OK.
Step 6 Save the configuration. Click
Commit.
Set Up Client Certificate Authentication (Continued)