You have 3 options when implementing certificate-based client authentication for your GlobalProtect environment.

1. Shared client certificates - each endpoint uses the same certificate to authenticate; it can be locally generated or imported from trusted CA. Please note that this certificate would be installed in the user certificate store only. Machine certificates (that need to be imported in machine certificates store) cannot be pushed from portal.
2. Unique client certificates - requires either the implementation of a SCEP server on your network or use of an internal PKI to deploy them individually to each machine through GPO or using other device management systems
3. Machine certificates - used with the Pre-Logon connect method to authenticate the device rather than the user
4. Certificate selection based on OID - a specific object identifier (OID) can be used to identify the certificate to be used.

The certificate imported to the client machine(s) may or may not be signed the same root CA which signed the 'Server Certificate' in the Portal/Gateway settings. However, please ensure the appliance has the full CA certificate chain of trust imported on the user's machine: i.e Root + Intermediate (if applicable) CAs.

Note: The client certificate will be indented under the root CA when viewing from the Device > Certificates in the GUI.

In cases of self-signed certificates, the certificate will need to be imported to the trusted root CA.

For instructions for how to:

• Deploy Shared Client Certificates for Authentication
• Deploy User-Specific Client Certificates for Authentication
• Deploy Machine Certificates for Authentication
• Enable Certificate Selection Based on OID

Additional Information