Theodore - sounds cool! Please post how it all turns out.....

Thanks!

Yes - you most certainly can - create a host certificate and use it across multiple PC's. This works just fine from the perspective of the SSL box. I have this in my lab cause I am lazy and use the same PC cert all the time.

You have the option on the host browser import to flag it as not exportable. Probably able to do it other ways but I am not that smart about certs.

You will however have to do cert authentication 1st and AD authentication 2nd. Can't do AD and then cert....

If you authenticate via Cert first, can you map users by their AD group membership? I thought you could only map users based on their primary authentication method?

stine

Ok, i configured a certificate auth server on IVE.

I created a user certificate, and when user goes to IVE loginpage, the IVE system asks the client for the certificate.

Great!

Now i only miss the information....

1. how to install the user/host certificate so that its valid for ALL users who use that notebook. Normally the cert is assigned to the current user who is logged in on the windows client

2. how to configure the certificate that its not exportable, so that the user can not use it on another non trusted pc

How can i do this with OpenSSL?

Hey Theodore - Good point - you are partially right and I should have clarified my answer. I never use AD for authorization. Only for authentication. You can authenticate (1st auth) with cert and then use LDAP against AD for authorization, and then use AD for 2nd authentication.

I never tried to do CERT authentication, AD authorization. I did just check and you are correct - you can't with AD. But as you can with LDAP with no problem. LDAP is better in my opinion for authorization anyway and he can still do groups.

Good catch!

Not sure how to do #1 or #2 with Open SSL - but I know that if you export a cert you choose when you do the intial export (from browser or from Microsoft MMC Cert tool) whether or not allow it to be "re-exported" after import into another PC / browser.

I know that #2 is possible because you can do it in Microsoft CA (when requesting the certificate you choose not to make it exportable... I think you can do this during the import phase too when installing it on the PC), but I don't know how you'd go about doing that in OpenSSL.

The only way I can think of to install the certificate for everyone is to deploy it out via Active Directory GPO. This would ensure everyone gets it installed if it's not already, the only catch obviously they'd have to log into that laptop at least once on your internal network before trying to log in remotely on the IVE.

Kevin, here's what i've got right now.

I created my own CA using openssl.

I issued a CSR from the sslvpn box.

I signed it on my own CA and installed it on my sslvpn box.

I then created a user certificate and signed it with my CA.

I installed this cert on the sslvpn box.

i then installed the user cert and the CA in my browser (one pkcs12 file with chained certs).

for my primary auth server i run LDAPS against a win2k8 AD.

for my second auth server i run LDAPS against a separate win2k8 AD.

this means that i have three authentication methods...

When I created the user cert (openssl), i then removed the primary key from it (but i dont remember how....)

I am only assigning roles based on the primary auth server group membership, and i'm really only using the 2nd auth server for testing.

my next trick will be to assign NC ips via radius, and after that, person certs for and radius attributes for role assignment...