I'm having a heck of a time getting our SA4500 to accept client certificates we've signed with our internal CA. We're trying to auth with first a client certificate, and then a radius name/pass. Both client and SA are aware of our internal CA cert, but we can't get the browser to produce the cert for the login.
Users are using Safari, but we've also tried Firefox with no luck. The message is "No certificate found". However, the client cert is sitting in Keychain Access, and appears valid. We name the locally-signed client certs by first_last for the CN.
I've also tried setting the certificate preference in Keychain Access to use that specific cert for the url of the SSL VPN but no luck!
Thanks for any help you can provide.
Hey Doug - I use cert sign in with no problems from my MAC and was actually just testing to make sure everything still worked when going from 6.53 to 7.0 on the SA box.
So maybe I can ask a couple of dumb questions. I am assuming that you have tested the cert sign in from Windows boxes with no problems? It is just the MAC OS that is the problem? What keychain do you have the cert installed in? I usually place my SA sign-in cert in the Microsoft Intermediate Certificates keychain.
Thanks for the help, Kevin.
Unfortunately it's not working in Windows either. The error for both OS clients in the User Access log is "Login failed. Reason: NoCert".
Interesting you place your cert in the MS Intermediate Certs keychain. I would think the login keychain would be the first choice, and that's where I placed it.
I'm wondering if there are any specific guidelines for cert creation that I'm missing, and my cert is invalid in some way.
We are using our own local CA, who's cert is installed on the SA under Trusted Client CA's and Trusted Server CA's. the CA cert is also installed on the clients, and each client auth certificate is using the CN of the username, firstname_lastname for example. The device certificates are also signed by the same local CA, so everyone is working under the same trust, and the certs appear valid in the keychain.
Is there any chance of a network issue? Does the SA _initiate_ traffic with the client that could cause a firewall established-related traffic problem? I can look into this but any insight would be helpful.
Thanks for your help again.
Finally figured it out. It looks like the certificates on the client were not getting imported properly. The private key portion was not getting installed. Thanks for your time.