Showing results for 
Search instead for 
Did you mean: 

Questions on certificates

Occasional Contributor

Questions on certificates

We've been using RSA tokens for authentication to our SSL VPN system.  Recent interest in iPhones and Junos Pulse is leading us in the direction of using certificates for more seamless authentication.

I'd appreciate the benefit of others experience. I understand I can stand up a certificate server on the SA box itself.  How manageable is it?  Alternatively, could we use our Active Directory CA to generate certs for the client devices?  If yes, are there some guides I can follow?  I haven't been able to find sufficient information in the Juniper knowledgeablenes or admin guides.

Valued Contributor

Re: Questions on certificates

If you are interested in certificate based authentication I would take a serious look at the following site:

They have an awesome product and it is in my top 3 recommended solutions for two factor authentication when I outline solutions to potential clients.

Kevin Barker
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Occasional Contributor

Re: Questions on certificates

Is there a guide I can following for using a WIndows CA with the SSL VPN system?  I assume I have to import our AD CA cert into the Juniper box.

The idea for using one cert with a password seems like it would be a time saver, but I'm not sure our Infosec group would go for it.


Re: Questions on certificates

I dont think you can create certificates for clients directly on IVE.

You can use Windows Server CA easily.

You could use ONE certificate for all users in addition to usercredential.

You can use this certificate on realm level for autorization via rolemapping.

When you want the cert to be valid for more then 2 years, use windows server enterprise edition.

You have to confgure validation in registry. I use 5 years cause i dont want to enroll certificates to thousands of users.


Re: Questions on certificates

Of cause one certificate for ALL users does not make much sense from a normal point of view. :-)

The certificate in my scenario does NOT authenticate the user.

The user authenticates with his AD credentials.

In the background, the client browser transmits the clientcertificate to IVE.

The IVE uses the clientcertificate to authenticate the CLIENTDEVICE as trusted company device.

Via certificate attribute "CN" you can assign the authenticated user the proper IVE Role.