GlobalProtect Machine Certificate Match Using OID
9245
Created On 06/15/22 15:14 PM - Last Modified 02/07/25 20:57 PM
Objective
How to use OID to match a machine store certificate in Windows when using this certificate for client side authentication for Global Protect. Specifically, when there are multiple machine certificates issued from the same CA and need to match a specific certificate.
Environment
PANOS 8.1 and later code on VM based Firewalls or On-Premise Firewalls.
Procedure
This procedure assumes some basic understanding of Global Protect configuration knowledge. This procedure does not cover the full Global Protect configuration and only points out key points for ensuring a machine store certificate in Windows can be matched using OID for client side certificate authentication for Global Protect Portal connection. This knowledge document specifically focuses on matching a machine certificate even when multiple other certificates issued from the same Certificate Authority (CA) are present in the machine store in Windows. Note that because this process is looking for certificate(s) in the Windows machine store, the Windows user will not have an option to choose the certificate desired.
- I am using 3 certificates all issued by the same CA as seen below. All three issues certs are installed into the Personal store in the Windows machine store. The ROOT CA seen below will need to be imported into the firewall. Just the ROOT certificate needs imported into the firewall where the KEY is not necessary to be imported:
- Ensure that the client side machine certificate is valid and is installed in the Windows machine certificate store. Below we can see the 3 machine certificates that I have installed in my Windows machine store.
- MACHINE_CERT_ONE
- MACHINE_CERT_TWO
- MACHINE_CERT_THREE
- Notice the 'Intended Purposes' column for each of the three certificates:
- Seen below is the details of MACHINE_CERT_THREE which is the machine cert attempting to match using the OID of 'IP security user (1.3.6.1.5.5.7.3.7)'. Notice the 'Client Authentication (1.3.6.1.5.5.7.3.2)' is also listed as an Enhanced Key Usage (EKU). This Client Authentication MUST be present in the certificates' EKU or the certificate will never be selected. This is the main point of this document, that you can use custom EKU OIDs to match but still need to have the 'Client Authentication (1.3.6.1.5.5.7.3.2)' in the certificate:
- Below we can see that this ROOT-CA (Issued to: ROOT Issued by: ROOT) was imported into the firewall. Can also see we don't need the Key for this ROOT-CA cert imported into the firewall for this to work. This ROOT-CA and the machine cert were generated and signed with a 3rd party vendor. In my lab I used XCA software (https://hohnstaedt.de/xca/). Note: the actual machine cert that goes in the Windows machine store does require the Cert and Key:
- Create a new Certificate Profile and Add the CA ROOT cert that was imported to the firewall. Leave the Username field equal to None as we will be using LDAP AD authentication for the username:
- Next, Add the above certificate profile named 'MS-ROOT-CA1' in the Global Protect Portal configuration in the Authentication Tab as seen in the image below:
- If not already configured, the Portal configuration should have a separate Agent Config for 'pre-logon' Network > GlobalProtect > Portals > Agent. This pre-logon Agent Config is required or the Global Protect agent will give a error when attempting to connect saying it can not find the client certificate:
- As for the Global Protect (GP) Agent install I used the following command in the Windows command prompt (DOS) to install the GP Agent and at the same time update Windows registry to match on the following OID in the Window's machine cert store:
GlobalProtect64-5.2.11.msi PORTAL=gp.bear.com CONNECTMETHOD=pre-logon EXTCERTOID=1.3.6.1.5.5.7.3.7 CERTIFICATESTORELOOKUP=machine
- The above command will tell GP Agent to look for OID 1.3.6.1.5.5.7.3.7 in the machine store. Just make sure you have already download the 5.2.11 GP Agent (or version of your choice) to the computer and run that command in the directory that the GP Agent was downloaded to.
- You'll notice I did not configure the OID match in the the Portal Configuration as I had left it blank (Network > GlobalProtect > Portals > Agent > pre-logon config > App TAB > Extended Key Usage OID for Client Certificate). You can chose to add the OID 1.3.6.1.5.5.7.3.7 in this Portal configuration or use the install script as seen above or use both the script and the Portal configuration. The only difference is that with the script seen above, the first time GP Agent connections will be able to find the certificate on the first connection as opposed to configuring this OID in the Portal Config then having to connect to the Portal at least once at first, to pull the Portal configuration down to the GP Agent for the subsequent connections to be able to match that OID:
- Once the GP Agent is connected using the correct machine certificate, you can then verify using the PanGPA.log (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS) to verify the correct certificate was selected.
- In this next image below, in my lab testing the PanGPA.log shows the 3 machine certificates issued from the same CA. Please see that graphic for details on what the log shows and detailed explanation. In the graphic we see that box #2 has the certificate that is selected which is MACHINE_CERT_THREE:
- Box#1 MACHINE_CERT_TWO - No Match as OID 1.3.6.1.5.5.7.3.7 not in this Cert
- Box#2 MACHINE_CERT_THREE - Match as OID 1.3.6.1.5.5.7.3.7 AND OID 1.3.6.1.5.5.7.3.2 Found in this Cert
- Box#3 MACHINE_CERT_ONE - No Match although OID 1.3.6.1.5.5.7.3.7 is Found in this Cert, but OID 1.3.6.1.5.5.7.3.2 is Not in this Cert as required to be a valid Cert
Additional Information
-
XCA software (https://hohnstaedt.de/xca/)
-
How to Collect Logs from GlobalProtect Clients (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS)