>
    Support for Native Certificate Store for Prisma Access and GlobalProtect App on Linux Endpoints
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect User Authentication
    4. Set Up Client Certificate Authentication
    5. Support for Native Certificate Store for Prisma Access and GlobalProtect App on Linux Endpoints
    Download PDF
    GlobalProtect

    Support for Native Certificate Store for Prisma Access and GlobalProtect App on Linux Endpoints

    Table of Contents

    Support for Native Certificate Store for Prisma Access and GlobalProtect App on Linux Endpoints

    Support for Native Certificate Store for the GloabProtect App on Linux Endpoints
    Where Can I Use This?What Do I Need?
    • Prisma Access
    • GlobalProtect™ Subscription
    • Prisma Access Mobile Users license (for use with Prisma Access)
    • GlobalProtect app 6.2 or later GlobalProtect app versions
    • GlobalProtect endpoints running on Linux versions
    The support for native certificate store enables the GlobalProtect app installed on the Linux endpoints to use certificates from the certificate store for:
    • Client cert authentication to the portal and gateway
    • GlobalProtect app log reporting
    Previously the GlobalProtect app used the client certificates installed using the GlobalProtect CLI command, which is available only in the /opt/paloaltonetworks/globalprotect/file directory on Linux endpoints.
    To configure GlobalProtect app to use the certificate in the native certificate store, you must:
    1. Place the certificate in the native store location.
      For example:
      sudo cp xxxxx.cert.pem /etc/ssl/certs
      sudo cp xxxxx.key.pem /etc/ssl/private
      The following are the cert store locations for various Linux platforms:
      • Ubuntu:
        • Cert: /etc/ssl/certs
        • Key: /etc/ssl/private
      • Fedora:
        • Cert: /etc/ssl/certs
        • Key: /etc/ssl/private
      • Red Hat
        • Cert: /etc/pki/tls/certs
        • Key: /etc/pki/tls/private
      The supported formats are:
      • .pem
      • .p12
      • When the certificate is .pem format, the certificate will reside in /etc/ssl/certs location and the key will reside in /etc/ssl/private location. The key file in /etc/ssl/private can be either .pem or .key format
      • When the certificate is .p12 format, the format already contains the key and there will only be a certificate containing the key in /etc/ssl/certs location.
      Root access is required to place the certificate using sudo cp command in the locations as mentioned in Step 1 for various Linux platforms, for example, for Ubuntu:
    2. (Optional) Store the key in the /etc/ssl/private folder if the certificate is .pem format.
    3. Connect GlobalProtect, select your client certificate, and proceed with the next steps. End users must enter the passcode to authenticate to the app for the first time. The app will not prompt end users to enter the passcode for the subsequent authentication attempts unless the app is uninstalled or the user is signed out of GlobalProtect from the portal.
      If the certificate format used is .pem and when there is more than one certificate matching the criteria, the GlobalProtect app filters the certificates and displays the list of certificates in the Certificate Selection pop-up window. For the Certificate Selection pop-up window to display the certificate in the list, it should;
      • Match the CA list
      • Match the Client Authentication OID
      • Not be in Pending or Expired status.
      If the format used is .p12, the app does not filter the certificates and the Certificate Selection pop-up window displays all the certificates.
      Upgrade Scenario:
      • When you are using Client Certificate Authentication and upgrade to the GlobalProtect app version 6.2.0, you must reboot your system after a successful version upgrade.

    © 2024 Palo Alto Networks, Inc. All rights reserved.