cancel
Showing results for 
Search instead for 
Did you mean: 

Host Checker based root ca certificate

Frequent Contributor

Host Checker based root ca certificate

Hi all,

is there a way to check the persence of root ca certificate with host check policy?

2 REPLIES 2
Highlighted
Frequent Contributor

Re: Host Checker based root ca certificate

Host checker can check for machine certs only which is issued by a CA. It cannot check for a root CA where the issued to and issued by fields are same.

Not applicable

Re: Host Checker based root ca certificate

Hi,

 

While this still seems to be the case in 2013, there may be something similar you can do.

 

You can set up a preconfigured Junos Pulse file from the settings in the connection on the gateway. If you set the Dynamic trust check box, in the Junos Pulse connections page in the gateway, you allow the user to accept certificate errors when connecting to the gateway. This is the default.

 

In our case, users with company laptops have a root CA that was the CA to certify the outside address of the Mag gateways (via a load balancer). This certificate will be "invalid" to everyone except someone with the root CA installed.

 

So, you can clear (remove) the check box for "Dynamic connections" in the GUI and export the preconfig file, or change the         

            dynamic-trust: "true"

 

line to be

            dynamic-trust: "false"

 

What this will do, when a user connects to a gateway certified by the CA and they have the root CA is it will allow them to logon. When the user connects but there is no root CA certifying the chain of the CA to the machine's cert, the connection will fail, as the user will not have the opportunity to accept the connection.

 

Will this work for you?

 

Regards,

 

-Ambidexter