ahh, thank you thank you. I will play around with it and see what works. Thanks Zanyterp.

You can generate a certificate request from any source (openSSL, windows MMC, etc). I usually generate my csr files from an advanced certificate request using the windows certificate MMC.

You can use this link as a guide -

http://blogs.msdn.com/b/andrekl/archive/2008/09/24/how-to-generate-a-csr-for-an-iis-website-using-th...

my impression was that I had to do a cert request from the device that the cert was going to live on? We have a Enterprise wildcard cert, couldn't I just use the same one then?

Also, we send our cert to a respectable cert authority, we don't really want to use an internal cert.

no, typically a cert does not need to be generated on the device it is being installed on.

Maybe I am confused on what you are trying to accomplish. Are you wanting to use host checker to see if a certificate is installed on the client prior to letting it connect to your vpn?

well, yes, but using junos pulse on ipads and iphones and such. I am not really worried about desktops at this time. host checker runs on ipads or through junos pulse. I didn't think it did.

Unfortunately from my testing the amount of checks you can do on ipad/iphone devices is very limited. Since I've upgraded to 7.2 I see they now have support for something called Mobile Security Suite ( http://www.juniper.net/us/en/products-services/software/junos-platform/junos-pulse/mobile-security/#... I have not researched it much yet but figured I would provide the link. Hopefully someone with more experience with mobile devices and Juniper could contribute to the thread also.

Thanks,

Dan

Thanks Dan, that sounds like what we are already using in the MaaS 360 service. I'll see if anybody else has anythiing on what we are after.

Hi scoutt,

I'll give you a short hint on how you should integrate client CA's and so on ; ).

1. Have a issuing CA which does output client certificates 
2. Have the CA (public part) available for upload.
3. Upload the issuing Client CA (public Part) to Juniper SA

Then there are different way's how you can enforce access through certificates

• Realm Base (Authentication Service)
• Role Base
• HostChecker

Handling Certificate Authentication / Authorization:

You can take every attribute from the client certificate for limiting access to realms / roles, a few examples:

• CN
• Date
• Departments
• Location
• IP-Address (assignment for Layer 3 VPN)

Have a look to the Juniper SA Admin Guide how you can use / extract the Attributes

Caution:

Not every device does handle intermediate CA's properly

Hope this does help you.

Best Regards

NULL

Thanks NULL,

I have the cert all setup and it is added to the Realm. This all works fine as the Junos login shows no able to login because missing the cert, expected. Now when we push the cert to the client, VPN doesn't seem to see it. I can't figure out where the cert lives or how to get it into the Junos Pulse browser if thats where VPN looks for it at. does anybody have any idea hwere the cert wil ive on a ipad/iphone ?

I don't want to push it after they login, that defeates the purpose. I want to push it to the device before they login this way I can check to see if they have it or not if it allows them to login.