Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Android Junos Pulse will not accept Cert.

SOLVED
Go to solution
mattspierce_
Frequent Contributor
‎04-27-2012 07:05:AM
‎04-27-2012 07:05:AM

Android Junos Pulse will not accept Cert.

I'm attempting to get certificate authentication working. I've tested it out on the Windows Client and the iOS Junos Pulse mobile so I know that the signin, realm, and auth servers are correct. On my android device I can't seem to get the cert format correct. First off, why doesnt adroid pulse client support pfx/p12? That is the easiest most common format for an exported keypair and certificate. Even better, why isn't the certificate interface integrated into the Android certfificate store? Your duiplicating work and making it more difficult to deploy.

So far I have exported my pfx file with the command line

openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts

I've then setup the option to use certs in three different ways with the Junos Client

1)Point the client to certkey.pem for both dialog choices

2)Split certkey.pem into a cert.pem and key.pem. In the pulse client I configured the certs as apropriate.

2)Split certkey.pem into a cert.pem and key.pem. I then edited the .pem files and removed all headers leaving the begin cert and end cert header. In the pulse client I configured the certs as apropriate.

3)I took the cert.pem and key.pem and removed all headers leaving only the ciphertext. I renamed those files cert.der and key.der respectivly. In the pulse client I configured the certs as apropriate.

In all cases I get the error "Failed to connect to the server! Check your Certificate." I have a trace running on the realm the client points to for the UPN the cert uses. In all cases I never see a login attempt. I have client cert logging on and the user log shows no attempt. That tells me that the client isn't digesting the cert or even trying to login. So where am I messing up?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
AJA_
Frequent Contributor
‎04-29-2012 06:37:PM
‎04-29-2012 06:37:PM

Re: Android Junos Pulse will not accept Cert.

We also have a KB - KB19692

 

Hope that helps.

View solution in original post

0 Kudos
18 REPLIES 18
zanyterp_
Respected Contributor
‎04-27-2012 10:49:AM
‎04-27-2012 10:49:AM

Re: Android Junos Pulse will not accept Cert.

To answer your first question on the difficulty, android itself doesn't have good support for certificate authentication. Any changes needed are required by the OS itself.

If you don't have cert auth enabled, do you see the connection attempt?
0 Kudos
mattspierce_
Frequent Contributor
‎04-27-2012 01:13:PM
‎04-27-2012 01:13:PM

Re: Android Junos Pulse will not accept Cert.

With Use Cert disable I get Missing Certificate Check that your Certificate is valid and up-to-date and try again on the client side.

Here are the user side logs.

InfoAUT234572012-04-27 15:10:55 - ive - [76.164.174.115] System(pulse_cert)[] - Login failed using auth server Adtran-PKI (Certificate Server). Reason: NoCert
InfoAUT243272012-04-27 15:10:55 - ive - [76.164.174.115] System(pulse_cert)[] - Primary authentication failed for /Adtran-PKI from 76.164.174.115
InfoCRT306632012-04-27 15:10:55 - ive - [76.164.174.115] System()[] - client certificate received: -----BEGIN CERTIFICATE----------END CERTIFICATE-----
0 Kudos
mattspierce_
Frequent Contributor
‎04-27-2012 01:39:PM
‎04-27-2012 01:39:PM

Re: Android Junos Pulse will not accept Cert.

About useing the certificate store, is the problem a lack of api access to the cert store? I've installed certs there and used them for wifi auth and activesync. But those are built in capabilities.

0 Kudos
zanyterp_
Respected Contributor
‎04-27-2012 07:09:PM
‎04-27-2012 07:09:PM

Re: Android Junos Pulse will not accept Cert.

I believe it may be an API access, yes; however, I am not sure. I only know the ability of pulse to use certificates is very limited on android.
0 Kudos
AJA_
Frequent Contributor
‎04-29-2012 06:31:PM
‎04-29-2012 06:31:PM

Re: Android Junos Pulse will not accept Cert.

May I know the Android OS version you are running on?

 

There are few certificate issues on 2.1 - Upgrading to 2.2 / 2.3 has helped many Android users.

0 Kudos
AJA_
Frequent Contributor
‎04-29-2012 06:37:PM
‎04-29-2012 06:37:PM

Re: Android Junos Pulse will not accept Cert.

We also have a KB - KB19692

 

Hope that helps.

0 Kudos
mattspierce_
Frequent Contributor
‎04-30-2012 09:02:AM
‎04-30-2012 09:02:AM

Re: Android Junos Pulse will not accept Cert.

Thank you for the KB reference. I was missing the PEM to DER conversion. Once I got that squareed it works like a champ. The device interface allows you to reference a .PEM or .DER format file. I had already trimmed the Bag header as requested in the KB. Does the Pulse Mobile android client not suport .PEM then? I'm also not happy having an unencrypted key file sitting on the filesystem. In my minde it would make the most sense if you implemented a client keystore. And allowed import of .pfx. That seems to be the least worst option for provisioning the mobile client. The key is encrypted right up to it being entered into the pulse mobile keystore and then the pfx file should be deleted.

0 Kudos
AJA_
Frequent Contributor
‎05-04-2012 07:17:PM
‎05-04-2012 07:17:PM

Re: Android Junos Pulse will not accept Cert.

Please open a JTAC ticket to pass this information and I am sure you should get some help on the last comment of yours.

 

I am happ that my KB reference helped you.

 

 

 

Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks

0 Kudos
zanyterp_
Respected Contributor
‎05-07-2012 08:39:PM
‎05-07-2012 08:39:PM

Re: Android Junos Pulse will not accept Cert.

@mattspierce wrote:

Thank you for the KB reference.  I was missing the PEM to DER conversion. Once I got that squareed it works like a champ.  The device interface allows you to reference a .PEM or .DER format file.  I had already trimmed the Bag header as requested in the KB.  Does the Pulse Mobile android client not suport .PEM then?  I'm also not happy having an unencrypted key file sitting on the filesystem.  In my minde it would make the most sense if you implemented a client keystore.  And allowed import of .pfx.  That seems to be the least worst option for provisioning the mobile client.  The key is encrypted right up to it being entered into the pulse mobile keystore and then the pfx file should be deleted.  

these are reasonable; however, this is not something that is/has been available on the android system. the kb you used is working around the limitation of what is available on this OS. i would recommend working with your account team for an enhancement request to get the desire noted through proper channels

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.