Solved: Re: Android Junos Pulse will not accept Cert. - Page 2

rdit_ · ‎05-22-2012

I'm trying to get the Cert Authentication working for over 2 days now and I tried everything. Could someone help me on that?

I did everything explained in the KB:

On Client-Side: I have a separated key.der and cert.der of the self-signed cert, I have the root-certificate that was used to sign the certificate which I installed to the android device from SD Card.

On the SA-Side: The SA's server-certificate is valid and up2date. Our root-CA was also imported to the trusted user-store of the SA.

As soon as I force a client-certificate on role or realm-level the authentication fails. If I dont ask for a certificate, anything works fine from an ASUS Transformer Pad.

When it fails I get the same error as in message 3 of this thread.

What am I missing?

zanyterp_ · ‎05-23-2012

What is the failure message you see in your user access log?

Do you have other certificate-based servers you can test against to see if the certifcate was installed successfully?

Is the certificate listed in the trusted client CAs (where it needs to be for getting from a client device) at System>Configuration>Certificates>Trusted Client CAs?

rdit_ · ‎05-23-2012

What is the failure message you see in your user access log?

I get the NoCert Message on the access log.

Do you have other certificate-based servers you can test against to see if the certifcate was installed successfully?

No, unfortunately I dont!

Is the certificate listed in the trusted client CAs

Well, only the CA-Certificate (that was used to sign the client-cert) is listed there and this is working cause our iPads dont have any problems connecting with certificates (they just need a p12, not 2 separerated DER's like on Android). I just added the client-cert itself to the trusted client CA's but that doesnt help either.

mattspierce_ · ‎05-29-2012

I had very similar results as you did. The step I was missing was converting the pem files to der.

openssl x509 -in certificate.pem -inform PEM -out certificate.der -outform DER
openssl rsa -in privatekey.pem -inform PEM -out privatekey.der -outform DER

Could you be referencing old certs that are still in pem format?

rdit_ · ‎06-04-2012

Yes I used the DER-Format, I payed attention to all the advices from the KB Article.

I opened a case at JTAC last week but they havent found a solution yet either.

mark.ceyrolles_ · ‎09-11-2012

rdit - Did you ever get this working?

I too have followed KB19692 to the letter and am unable to get this working.

The error message I'm getting is "Missing Certificate. Check that your certificate is valid and up-to-date, and try again."

One thing I did notice is that the Junos Pulse Client is specifically looking for certs in "/MNT/SDCARD" but the SD card is actually mounted as "/MNT/SDCARD-EXT" .

I'm using a Motorola Droid4 running droid OS 4.0.4 with Pulse client 4.0.2.24009

SHKM_ · ‎09-11-2012

Hi Mark,

How did you figure out this info?

One thing I did notice is that the Junos Pulse Client is specifically looking for certs in "/MNT/SDCARD" but the SD card is actually mounted as "/MNT/SDCARD-EXT" .

Thanks,

rdit_ · ‎09-11-2012

Hi Mark,

no I didnt get it working and it seems that this is not supposed to work at all. Certificate Authentication works with an Certificate Server and thats what all the KB's are about. Its actually not possible to use a role-based check for client-certs on android. You can just authenticate clients with a client-cert through an certificate-server but not just require a client to present a cert for login.

This is working for iOS (iPhone, iPad) Devices and under normal Desktop OSes (WinXP, 7,...) but not for Android.

SHKM_ · ‎09-12-2012

Yes, certificate authentication should work fine but not the certificate check in Andriod. You can refer the KB22019.

Thanks,