cancel
Showing results for 
Search instead for 
Did you mean: 

IPHONE with JUNOS Pulse and client certificate restriction on realm

SOLVED
Highlighted
Regular Contributor

IPHONE with JUNOS Pulse and client certificate restriction on realm

Hi Experts

I am using IPHONE with JUNOS Pulse. I want after user authenticaion, IPHONE should be authenticated by client certificate which I imposed on realm level. Without this client certification every thing is working. What I did:

1- My my PC which is on domain. From MMC, I requested the personal certificate (user certificate). Then I export this certificate and installed on the IPHONE with configuration utility and without, I tried both option.

2- I also installed the CA certificate on the IPHONE using configuration utility

3- On SSL box, I installed the CA certificate on Trusted client CA and Trusted server CA.

- Every time after user authentication, JUNOS pulse is giving the error "Invalid or expired certificate. Check that your certificate is valid and up to date and try again"

- On the SSL VPN box, I am getting the error "A Trusted Client CA has not been configured for 'x500UniqueIdentifier=fd88bd73-70a7-4cd8-b9c5-1b0c0892026a, CN=iPCU CA fd88bd73-70a7-4cd8-b9c5-1b0c0892026a'. Consequently, the status of the certificate for 'CN=FD5528B1-C951-4452-8ABC-506FCD0E4BFA' could not be checked. You can enable Auto-import of Intermediate CAs to configure intermediate CAs automatically."

I am not sure why client certificate on IPHONE could not be verified on SSL box. I tried every thing. Please help what I am missing Smiley Sad

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Not applicable

Re: IPHONE with JUNOS Pulse and client certificate restriction on realm

Hi

I believe the user certificate you are using in IPHONE is missing private keys. When you export the user certificate from the PC local certificate store then did you selected the include private keys while exporting? If you are exporting the user certificate mostly you will find this option. But If you are exporting the machine certificate then most probably you cannot do due to permission problem on RSA folder.

You can test the certificate from the browser as well. When you export the user certificate then import in to the browser and after importing you should see in the certificate property "You have private keys that cororesponds to this certificate" Now put the URL for IPHONE on the browser then see you can login successfully.

HTH

View solution in original post

3 REPLIES 3
Highlighted
Valued Contributor

Re: IPHONE with JUNOS Pulse and client certificate restriction on realm

I am sure that there are other ways to make this work but the only way I have been successful with using certificates on IOS devices was when I installed them using the Configuration Utilty. You said you tried that - what I do is I create a profile and in that profile I place both the CA Root Cert and the User Cert. Then I push that profile out to the device, accept the Root and then the user and then it works.

Doing them seperately or installing one from the utility and one from just the phone never seemed to work.

Hope this suggestion helps.

Highlighted
Not applicable

Re: IPHONE with JUNOS Pulse and client certificate restriction on realm

Hi

I believe the user certificate you are using in IPHONE is missing private keys. When you export the user certificate from the PC local certificate store then did you selected the include private keys while exporting? If you are exporting the user certificate mostly you will find this option. But If you are exporting the machine certificate then most probably you cannot do due to permission problem on RSA folder.

You can test the certificate from the browser as well. When you export the user certificate then import in to the browser and after importing you should see in the certificate property "You have private keys that cororesponds to this certificate" Now put the URL for IPHONE on the browser then see you can login successfully.

HTH

View solution in original post

Highlighted
Regular Contributor

Re: IPHONE with JUNOS Pulse and client certificate restriction on realm

Oh thank you very much ... It worked !!!