cancel
Showing results for 
Search instead for 
Did you mean: 

Pulse on IPad with certificates

SOLVED
PortreeKid_
New Contributor

Pulse on IPad with certificates

I am racking my brain.  I have set up a CA with XCA to use as a second factor while authenticating IPads.  It took me a while but after some trial and error and googling I discovered that the certs need to be done with SHA1 for the IPads to trust them.  Okay fine, so far so good.  In the profiles I can now import the CA and a client cert and the show up as trusted in the iPad.  However, when I go to the Pulse client and try to add the certificate it can't see the client cert from profiles.  It does not even show up in the list.

 

Has anyone been down this road before?

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
PortreeKid_
New Contributor

Re: Pulse on IPad with certificates

Okay, here I am replying to my own message to provide info for others that bang their head against the same problem.

 

I discovered that when you are working with Ipads the certs will work with:

Signature algorithm sha256WithRSAEncryption

X509v3 Basic Constraints critical:
CA:FALSE
X509v3 Subject Key Identifier:
---redacted---
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection

 

In xca I completely removed all Netscape options (SSL Client, SSL Server, S/MIME, etc.)

TLS Web Client was probably not necessary. Other options will most likely work, I just wanted to provide what worked for me. This just represents some of the bare bones requirements to allow the cert to show up not just in the Ipad profiles but in the Junos Pulse as well. The signature algorithm is probably the key factor, if you pardon the pun.

 

Have fun. I hope this helped someone.

View solution in original post

2 REPLIES 2
zanyterp_
Respected Contributor

Re: Pulse on IPad with certificates

thank you for sharing

PortreeKid_
New Contributor

Re: Pulse on IPad with certificates

Okay, here I am replying to my own message to provide info for others that bang their head against the same problem.

 

I discovered that when you are working with Ipads the certs will work with:

Signature algorithm sha256WithRSAEncryption

X509v3 Basic Constraints critical:
CA:FALSE
X509v3 Subject Key Identifier:
---redacted---
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection

 

In xca I completely removed all Netscape options (SSL Client, SSL Server, S/MIME, etc.)

TLS Web Client was probably not necessary. Other options will most likely work, I just wanted to provide what worked for me. This just represents some of the bare bones requirements to allow the cert to show up not just in the Ipad profiles but in the Junos Pulse as well. The signature algorithm is probably the key factor, if you pardon the pun.

 

Have fun. I hope this helped someone.

View solution in original post