Hi all, Im currently looking into setting up certicate authentication for Windows hello for Business users - i have setup cert server and imported Trusted Client CA root cert (without keys) to Pulse, and created new realm etc which all works, but few questions as below..
When Devices connect through is there any handshake as part of the Certificate authentication process? to me it just looks like Pulse checks that there is a valid CA cert present and makes sure the cert is not revoked via CRL/OCSP if enabled. Im trying to assess the security implications of this, if someone (i.e. an attacker) was able to export or get hold of the client cert on a device then install to another non work laptop id presume Pulse would still accept it with or without the keys. Does anyone have best pratice guides on this? I'd think making sure certificate and keys are non-exportable and also storing cert in TPM is a must.
We do use other security measures such as Host checker so mainly want advice on securing certificate authentication.