Does the HIP object set for the certificate check requires the client machine to have both Public + Private Key on certificate?

Does the HIP object set for the certificate check requires the client machine to have both Public + Private Key on certificate?

22723
Created On 01/23/23 16:31 PM - Last Modified 01/23/23 21:06 PM


Question


Does the HIP object set for the certificate check requires the client machine to have both Public + Private Key on certificate?

Environment


  • GlobalProtect
  • Supported PAN-OS
  • HIP Check

Answer


  1. Yes, a HIP check for a certificate on client machine looks for both Public and Private Key pair that is issued by the CA certificate mentioned on the certificate profile attached in the HIP check object.
  2. If the client doesn't have the Private Key of the certificate, it is not considered as a valid certificate.
GUI: Objects > GlobalProtect > HIP Objects > Add > Certificate
Capture_cert_check.PNG
 

Additional Information


  • Usually, HIP checks are done to match either Machine, User or internal PKI issued certificates for the clients. Such certificates are considered valid only as Public+Private key pair.
  • Public Root CA certificates or Intermediate certificates like GoDaddy, Digicert have only public keys. These are used as Trusted Root CA certificates and can not be checked against a HIP certificate check.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGSdCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language