Re: Code signing certificate format

nathou · ‎05-26-2017

Hi,

In order to work around the recent issue described in http://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40580 , we have purchased a Microsoft Authenticode certificate from our usual certificate provider. (Upgrading is not an option for us, our appliance is not supported anymore).

Too bad the KB did not warn us to buy it from Symantec (provider of former Verisign certificates). When trying (and failing) to import the certificate into the Pulse Secure appliance, I found out from the help pages that "the system supports the following types of code-signing certificates:
Microsoft Authenticode Certificateâ€”[...] we only support Microsoft Authenticode Certificates issued by Verisign. [...]
JavaSoft Certificateâ€”[...]we only support JavaSoft Certificates issued by Verisign and Thawte. [...]"

I don't understand why this kind of restriction (except that Symantec certificates are twice as expensive). Does someone know if this is only a formal support requirement (and if so, what format should I use to import the certificate), or if the system will just stubbornly check the certificate authority and fail if this is not Verisign ?

Thanks to anyone who can help me.

ruc · ‎05-30-2017

I'm quite sure there is no strict check for verisign issued cert as such, its more about the format, etc so if the cert your provider issues is exactly the same as what verisign provides it should work.

Have you tried importing and received an error?

BTW what appliance are you on SA2000/4000 or 6000? I would strongly recommend looking at upgrading as these platforms don't get security patches any more.

nathou · ‎05-30-2017

Yes, I have tried importing the certificate and got an error like "invalid certificate format".
My code signing key+certificate was originally PKCS#12, but I have exported the certificate and private key as X509 base 64. I have tried including or not the root and intermediate CAs in the certificate file, but it makes no difference. The root CA is already in the "Trusted server CAs" of the appliance, for that matter.
Thanks a lot for answering, I will keep trying exporting the keys in other formats but not knowing exactly what the appliance expects I didn't know if I was going anywhere.

Considering the obsolescence of our appliance, I too am very aware of this and strongly recommended upgrading to the management months ago... I guess considering the ever-growing Java restrictions and the issues with Windows 10 last update, it will also be largely useless soon.

ruc · ‎05-30-2017

Can you try converting your certificate to .spc format (for certificate file) and .pvk (for private key file)?

Note: If you ever start deploying/testing a newer release/platform of Pulse Secure VPN solution I recommend you look at using the Pulse client for your remote access needs. The user experience is mostly seamless and has less friction with browser/os dependencies.

nathou · ‎05-30-2017

I converted the key/cert to pvk/spc and could import them successfully.

Many thanks for the hint !