If your endpoints have multiple client certificates,
you can use the OID to instruct GlobalProtect which certificate
to select.
If you deploy multiple certificates to your
end user devices for distinct use cases--for example machine certificates,
user certificates, and email encryption certificates all issued
by the same certificate authority--it can be difficult to distinguish
which certificate to use in which use case. To help with this, you
can designate a specific object identifier (OID) that you want GlobalProtect
to use to identify which certificate to use. This simplifies and
improves the certificate selection process when your macOS or Windows
endpoints have multiple certificates installed.
An OID is
a numeric value that identifies the application or service for which
a certificate is used. When the certificate authority (CA) creates
the certificate, the CA automatically includes the OID in the Enhanced
Key Usage field.
When you
create the certificate, you can specify the OID to identify the
certificate’s purpose. By default, GlobalProtect automatically filters
the certificates for those that specify a Client Authentication
purpose (OID 1.3.6.1.5.5.7.3.2) so it is not necessary to specify
the OID associated with Client Authentication. However, if you want
to use a different OID to distinguish the certificate you want GlobalProtect
to select, you can specify a different certificate usage when you
create the certificate and then instruct GlobalProtect to select
the certificate with the corresponding OID. Some of the most commonly
used OIDs are:
1.3.6.1.5.5.7.3.1—Server Authentication
1.3.6.1.5.5.7.3.3—Code Signing
1.3.6.1.5.5.7.3.4—Email Protection
1.3.6.1.5.5.7.3.5—IPSec End System
1.3.6.1.5.5.7.3.6—IPSec Tunnel
1.3.6.1.5.5.7.3.7—IPSec User
1.3.6.1.5.5.7.3.8—Time Stamping
1.3.6.1.5.5.7.3.9—OCSP Signing
For example,
say your endpoints have four client certificates installed, but
the one you want your users to select has the OID 1.3.6.1.5.5.7.3.1.
Rather than having the GlobalProtect app to present all four client
certificates to the user, you can specify the Extended
Key Usage OID in the GlobalProtect portal
app configuration for the users whose endpoints have multiple client
certificates. Keep in mind that if multiple client certificates
on the endpoint have the matching OID, GlobalProtect will prompt
the user to select the client certificate from the filtered list.
GlobalProtect
uses only the Extended Key Usage OID field of the certificate and
does not evaluate any other certificate fields such as Subject Name to
determine whether to present the certificates. Note that the Extended
Key Usage OID value is different from the Certificate Template Information
OID. For other certificate selection requirements, see How Does the App Know Which Certificate to Supply?
To
configure the OID as a requirement for certificate selection:
(Optional) Create or edit the client
certificate and note the associated OID.
Open the Certificate Templates snap-in.
In the Details pane, create or edit the certificate
template you want to modify, and then click Properties.
On the Extensions tab, select Application PoliciesEdit.
In the Edit Application Policies Extension dialog
box, click Add.
In Add Application Policy, ensure that the application
you are creating does not exist, and then click New.
In the New Application Policy dialog box, provide
the name for the new application policy (for example GlobalProtect
Authentication).
Note the generated object identifier, and then click OK.
Specify the certificate’s object identifier (OID) in
the Extended Key Usage OID field as part of the appropriate GlobalProtect portal
app configuration.