I«m trying to restrict a Realm to only those clients which have a specific certificate installed.
So far this isn«t a really difficult job. I did it some month ago when I was testing the SA (with 6.5R4).
and it worked like a charm.
Now (with 7.0R4) I«m trying to re-implement it....and getting crazy with it.
The client certificate I use is brand new and I«ve used the same certificate template I used during the (successfull) tests some month ago. So there should be no change.
Out two Microsoft CA Server (Root-CA and Issuing-CA) are both in "Trusted Client CA" on the SA and the
"Trusted for client authentication?" checkbox is checked.
If I now restrict the Realm to "Only allow users with a client-side certificate...." an try to log in, I get an "Invalid or expired certificate. Check that your certificate is valid and up-to-date, and try again."
In Policy Tracing it says ""Error 26 unsupported certificate purpose".
Ok...where am I wrong? I can«t find the error. And nothing about the error in the Knowledge Base or somewhere else.
Can someone give me a hint?
Three things to check:
1) system time synchronization w/ AD/DC (and accuracy)
2) OCSP or other certificate verification.
3) that 'digitalSignature' is one of the defined uses of the certificate
If your clocks are synchronized and accurate, you can eliminate #1
If you disabled certificate revocation checking (at import time) or you have enabled (in a firewall) access from the SA to the AD/DC that is your CA, then you can probably eliminate #2.
I've generated all of my user certs using openssl (CentOS 5.5), and have no experience with MS certserv for user certs.
If you load the personal cert into the SA, you should be able to view it and see exactly what got imported (which would verity that the cert was valid/parseable by the SA)
That being said, I've set up limited authentication (must have valid user/pass + matching cert), but have not set up role mapping based on certificates, so it may be that I have simply not run into that issue...
Thanks for your response.
Your hint to import the certificate to see whats wrong with it was a good idea. Although i wasn«t able to import it ("unsuppored certificate purpose") it showed me that there must something be wrong with the certificate itself.
To cut a long story short:
It was the certificate template on the CA that got broken in any way. The defined use in the template was set to "Signature" and the policiy was set to "client auth", but the certificate itself contained some weird values.
After creating a new, clean template everything runs fine
Thanks fr your help