cancel
Showing results for 
Search instead for 
Did you mean: 

Certificate based authentication dilemma

Rauno
Occasional Contributor

Certificate based authentication dilemma

Hello,

 

I have a situation where I need to figure out how should I build the Realm filters based on certificates.

First realm - Users must be only use specific smartcards - there are 4 different intermediate certs by the smartcard vendor.

Second realm - Users must have specific CA sertificate and specific CN format.

 

Difficulty comes in limiting that the certificate from that second specific CA would not be used in First realm. PCS accepts the certificate as it is in the Truste Client CA list and enabled for client authenication. Thus the only way is to make Realm level certificate fileter with regex?? CN attribute of those smartcards may contain umlauts.

 

Or is there some other feature of PCS to look into? Like could help to lock the specific Trusted Client CA sertificate to only one Realm?

5 REPLIES 5
zanyterp
Moderator

Re: Certificate based authentication dilemma

unfortunately, no, this cannot be done with a single realm; the easiest and most effective way will be to have two realms & two URLs, one for each cert
you may be able to separate it out based on role mapping rules so that the cert attributes must apply to have the specific values you are looking for and/or have cert restrictions on the roles
r@yElr3y
Moderator

Re: Certificate based authentication dilemma

@Rauno Did you try using the variable certIssuerDn.CN = CN of the CA as the restriction?

PCS Expert
Pulse Connect Secure Certified Expert
Rauno
Occasional Contributor

Re: Certificate based authentication dilemma

I haven't tried it, according to KB40548 that field cannot be used.

... for configuring custom certificate restrictions at the realm or role level ...
... Only attributes under the Subject section of the client certificate can be used ...

zanyterp
Moderator

Re: Certificate based authentication dilemma

Yes, you would not be able to use that for the certificate realm control; however, you may be able to do it using custom expressions and use it for role mapping that way
r@yElr3y
Moderator

Re: Certificate based authentication dilemma

@Rauno Oh.. that's odd.

I was able to use that in the realm restriction and only device with cert signed by filtered CA can access the page.

ஸ்கிரீன் கிளிப்பிங் 2021-11-03 083448.png

PCS Expert
Pulse Connect Secure Certified Expert