I am investigating how to generate Client Cert from Microsoft CA server in order implement client cert authen in Juniper SA SSL VPN.
is it need to generate cert for each user or just one cert can allow all user to do authentication even they are belongs to different Role or Realm?
I have no idea that how to do that, please help to provide instruction.
I guess I would want to know why you want to implement client certificate authetication. In general, sharing the same client certificate among multiple users would be similiar to sharing the same username password. A client certificates is typically issued to a single user. For most of our customers we combine the client certiticate auth with Active Directory UN/PW. So in order access VPN a user has to have a the client cert on their device and know their credentials.
Another option for you might be to use device certficates. This works well if the devices are members of an AD domain which typically provisions the client cert when the machine is joined. Again I would suggest also requiring UN/PW in combinatioin with the device cert.
For role mapping you can extract the username from the certificate(assuming you are not sharing a single cert) and map based on the AD group a user belongs to.
After installing certificate service ont he Server a user can request for a user certificate.
Please refer the following link for generating user certificate