Manually Set OID Registry for Certificate Selection
35693
Created On 10/27/20 21:26 PM - Last Modified 12/14/21 00:07 AM
Objective
This article helps to list the steps that are required to manually set a specific OID to select the best matching certificate for portal/gateway authentication before initial connect to the portal.
Environment
- New GlobalProtect installation.
- User is under domain controller management
- Portal uses Certificate for authentication
- Windows OS system
- Any PAN-OS version
Procedure
- Install GP App directly on PC or push by the Domain controller using GPO.
Note: For more information regarding the installation of the GlobalProtect App, please refer to the following document.
- Use the Domain Controller to push registry key with the name ext-key-usage-oid-for-client-cert to the user PC under this path Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings with the OID required value which match the certificate the we want to use.
- Reboot users PC to make this registry change effective.
- After reboot use GP App to connect to the company Portal, in this case the GP knows which certificate should be used for authentication and no need to prompt the user to select the certificate.
Additional Information
Note: When you create the certificate, you can specify the OID to identify the certificate’s purpose. Some of the most commonly used OIDs are:
- 1.3.6.1.5.5.7.3.1 — Server Authentication
- 1.3.6.1.5.5.7.3.2 — Client Authentication (default match criteria)
- 1.3.6.1.5.5.7.3.3 — Code Signing
- 1.3.6.1.5.5.7.3.4 — Email Protection
- 1.3.6.1.5.5.7.3.5 — IPSec End System
- 1.3.6.1.5.5.7.3.6 — IPSec Tunnel
- 1.3.6.1.5.5.7.3.7 — IPSec User
- 1.3.6.1.5.5.7.3.8 — Time Stamping
- 1.3.6.1.5.5.7.3.9 — OCSP Signing
How Does the App know which Certificate to Supply guide