cancel
Showing results for 
Search instead for 
Did you mean: 

Machine Authentication, Multiple Installed Certificates.

SOLVED
DoctorKisow
New Contributor

Machine Authentication, Multiple Installed Certificates.

BACKGROUND

I am using an auth server that points to our CA, I have uploaded our CA's root certificate to "Trusted Client CA" and have created a machine certificate realm with a rule that permits multiple (* -or- ANY) certificate from our CA to connect to our VPN. 

 

Our machines have a domain certificate issued to each workstation from the CA using the computer template.  It is assigned to every workstation via a GPO because RADIUS requires the CA's root certificate for wireless access to occur.  

 

As a result, we have both the root CA and a wireless certificate assigned to every device.

 

PROBLEM

When the vpn goes to connect, it prompts for a certificate to use.  

 

QUESTION

How can I craft a rule to only choose a single certificate since under machine authentication you cannot have ANY user input.

Tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
r@yElr3y
Moderator

Re: Machine Authentication, Multiple Installed Certificates.

@DoctorKisow Unfortunately, there's no other way that I can think of which would be make the Pulse Client to differentiate the certificates and pick only one without prompting. Since, both certs would be having private key, EKU set as client auth, their rank would be equal, and thus pulse client prompts the user to select them... which would not work for the machine tunnel.


Either use the wireless certificate for VPN authentication, or have a new CA to push certificates only for VPN.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

4 REPLIES 4
r@yElr3y
Moderator

Re: Machine Authentication, Multiple Installed Certificates.

@DoctorKisow Are you having two identity certificates issued by the same CA or one by root CA and other one by the Intermediate CA?

 

If you have a root CA and Inter.CA, then try disabling the "Trusted for Client Authentication" option under the trusted client CA.

 

If there's only one CA that signed both certs, then you can use EKU OID filtering option to do the trick, however, caveats are:

 

# Custom EKUOID has to present on the desired certificate (cert template should be modified for this)

Pulse Desktop Client 9.1R5 and higher will not work for machine certificate, only user certs will be filtered using EKUOID value (identified as not-supported scenario, hence considered as enhancement). So, only 9.1R4 & below versions of PDC has to be used for this approach to work.

 

 

Config reference - https://docs.pulsesecure.net/WebHelp/PDC/9.1R3/Content/PDC_AdminGuide_9.1R3/Configuring_Client_Certi...

 

 

PCS Expert
Pulse Connect Secure Certified Expert
DoctorKisow
New Contributor

Re: Machine Authentication, Multiple Installed Certificates.

[email protected] 

 

Forgive me, I only know enough about Microsoft certificate Server to be dangerous.  I am certain we only have our root CA, no other servers in that chain,  Via a GPO, we are enforcing trust of our root CA to ensure our wireless clients can get and trust the certificates on our hardware for wireless.  Since most of our laptops have both the root certificate and a certificate for wireless our machines are being prompted and sadly we are usint R7 so I believe the EKUOID value will not work.  

 

I am open to alternate configuration options since we can be flexible.

r@yElr3y
Moderator

Re: Machine Authentication, Multiple Installed Certificates.

@DoctorKisow Unfortunately, there's no other way that I can think of which would be make the Pulse Client to differentiate the certificates and pick only one without prompting. Since, both certs would be having private key, EKU set as client auth, their rank would be equal, and thus pulse client prompts the user to select them... which would not work for the machine tunnel.


Either use the wireless certificate for VPN authentication, or have a new CA to push certificates only for VPN.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

DoctorKisow
New Contributor

Re: Machine Authentication, Multiple Installed Certificates.

Currently re-engineering how this works, thanks for your assistance.