About Certificate Deployment
There are two basic approaches to deploying certificates
for GlobalProtect LSVPN:
Enterprise Certificate Authority—If you already
have your own enterprise certificate authority, you can use this
internal CA to issue an intermediate CA certificate for the GlobalProtect
portal to enable it to issue certificates to the GlobalProtect gateways
and satellites. You can also configure the GlobalProtect portal
to act as a Simple Certificate Enrollment Protocol (SCEP) client
to issue client certificates to GlobalProtect satellites.
Self-Signed Certificates—You can generate a self-signed
root CA certificate on the firewall and use it to issue server certificates
for the portal, gateway(s), and satellite(s). When using self-signed
root CA certificates, as a best practice, create a self-signed root
CA certificate on the portal and use it to issue server certificates
for the gateways and satellites. This way, the private key used
for certificate signing stays on the portal.