Showing results for 
Search instead for 
Did you mean: 

question about client certificate attributes

mirko cologne_
New Contributor

question about client certificate attributes

Hello all

I have a question in configuring the SA to check client certificates attributes.

Our intention is it to provide a ActiveSync access for our customers to sync their mobile devices (e.g. Apple iOS, Android) with our internal Microsoft Exchange 2007 server. For that we added a virtual port on our external interface and enabled the client certificate requirement for this port. Then we configured a virtual hostname (passthrough proxy) which forwards the traffic to target URL (Exchange-server). This setup works perfectly with certificates of our Trusted Client CA.

Now the question:

Is it possible to filter a special attribute of the certificate? More precisely I mean the certificate template informationÓ extension ("Template=WirelessUsers(") and/or the enhanced key usageÓ extension (e.g. Client Authentication (Ó

or custom value WirelessUsers (Ó)

I did some tests with role option restrictions for certificates... e.g. CN = <user>Ó works perfectly, but I canÕt find any information about these special attributes.

It would be great if someone could help me :-)

Thank you!



mirko cologne_
New Contributor

Betreff: question about client certificate attributes

Hi all,

I did some other tests with Client Cert validation:

Configuration > Trusted Client CA > [root-ca] > Advanced Certificate Processing Settings

Enabled the Initial Require Explicit PolicyÓ and set the required value of the affected template:

I tried with our specific value (see below) but it doesnÕt work.

Standard value (id-kp-clientAuth) doesnÕt work, too.

Tcpdump on the external port tells me that the client sends the correct certificate


Extension (id-ce-extKeyUsage)

Extension Id: (id-ce-extKeyUsage)

KeyPurposeIDs: 2 items

KeyPurposeId: (iso.

KeyPurposeId: (id-kp-clientAuth)

Extension (id-ms-application-certificate-policies)

Extension Id: (id-ms-application-certificate-policies)

CertificatePoliciesSyntax: 2 items


policyIdentifier: (iso.


policyIdentifier: (id-kp-clientAuth)


I send a request from my client to this port and send the right certificate but authentications fails. There is no log entry with any error description._ Smiley Sad

Reply from SAÕs external port:

Secure Socket Layer

TLSv1 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)

Content Type: Alert (21)

Version: TLS 1.0 (0x0301)

Length: 2

Alert Message

Level: Fatal (2)

Description: Certificate Unknown (46)

Does anyone have any idea or experience with this feature?





Betreff: question about client certificate attributes

Did you ever get a solution for this?


We're looking to do something similar for our Ipad users (junos pulse), but at the moment it's set to "any certificate from a trusted CA" - we want to allow certificates using the CA's custom ipad template, but deny everything else




Frequent Contributor

Betreff: question about client certificate attributes

even if you could figure out a way to get the custom attr, where wuold you put it. Need a auth server to hold them. The pass though proxy is relying on your LDAP server not Juniper.

Respected Contributor

Re: question about client certificate attributes

No, you cannot use the custom attributes from the certificates