I have a situation where I need to figure out how should I build the Realm filters based on certificates.
First realm - Users must be only use specific smartcards - there are 4 different intermediate certs by the smartcard vendor.
Second realm - Users must have specific CA sertificate and specific CN format.
Difficulty comes in limiting that the certificate from that second specific CA would not be used in First realm. PCS accepts the certificate as it is in the Truste Client CA list and enabled for client authenication. Thus the only way is to make Realm level certificate fileter with regex?? CN attribute of those smartcards may contain umlauts.
Or is there some other feature of PCS to look into? Like could help to lock the specific Trusted Client CA sertificate to only one Realm?
@Rauno Did you try using the variable certIssuerDn.CN = CN of the CA as the restriction?
I haven't tried it, according to KB40548 that field cannot be used.
... for configuring custom certificate restrictions at the realm or role level ...
... Only attributes under the Subject section of the client certificate can be used ...
@Rauno Oh.. that's odd.
I was able to use that in the realm restriction and only device with cert signed by filtered CA can access the page.