As an alternative method for deploying client
certificates to satellites, you can configure your GlobalProtect
portal to act as a Simple Certificate Enrollment Protocol (SCEP)
client to a SCEP server in your enterprise PKI. SCEP operation is
dynamic in that the enterprise PKI generates a certificate when
the portal requests it and sends the certificate to the portal.
When
the satellite device requests a connection to the portal or gateway,
it also includes its serial number with the connection request.
The portal submits a CSR to the SCEP server using the settings in
the SCEP profile and automatically includes the serial number of
the device in the subject of the client certificate. After receiving
the client certificate from the enterprise PKI, the portal transparently
deploys the client certificate to the satellite device. The satellite
device then presents the client certificate to the portal or gateway
for authentication.