I have computers where there are several certificates in the computer personal store. One of them is a certificate for OAC machine authentication signed by special CA. When I will choose manually this certificate I can succesfully authenticate this machine.
I need however to select the "Use automatic certificate selection", because I'm preparing remote installation for many computers. Unfortuntely OAC 5.40.19091 selects the wrong certificate that is on the computer certificate personal store which is not the certificate for 802.1x machine authentication, so the verification of that certificate fails on IC and the whole 802.1x authentication fails.
Is there any way to tell OAC, to select any certificate that was signed by selected CA ? It seems like OAC now doesn't care which certificates it chooses when "Use automatic certificate selection" option is selected.
Is there multiple Certificates with Intended Purpose as ñclient authenticationî certificates in the personal store ?
Can you check with a Certificate, which needs to be used by OAC as a ñclient authenticationî certificate and there are no multiple ñclient authenticationî certificates in the local computer personal store.
There is one certificate for OAC machine authentication with Intended Purpose with "client authentication". Other certificates were generated by 3rd party application and the Intented Purpose is set to "ALL", so that includes "client authentication" as well.
I've tried to revoke and regenerate the OAC machine certificate several times and the "Automatic certificate selection" feature selects sometimes a proper OAC machine auth certificate and sometimes the wrong 3rd party certificate. I do not really understand what is the algorithm here for choosing the certificate.
We can't delete 3rd party certificate or change the Intented purposes there. Is there any workaround to select a proper OAC machine certificate when there are multiple "client authentication" certificates in local computer personal store ?
I beilive that this is expected behavior When we have multiple certfiicates for client authentication and if you have "Use automatic certificate selection" . As mentioned by you I understand that you can't remove the other certificates in the PC personal store. If you are sysadmin, I hope you can manage what certificates needs to be pushed using AD group policy.
Since you told that most of them are remote machines, controlling over domain group policy can be an option to remove the other certfiicates or change the inended pupose
The problem is that I can't remove the "client authentication" feature for 3rd party certificate, becase 3rd party application needs it. I think the solution could be a feature in OAC where you can enter the certificate attribute name and the expected attribute value, so that OAC could filter out all certificates with "client authentication" to select one, proper OAC machine certificate. Unfortunately as I understand there are no such feature.
Yup, you are right the logic as you mentioned is not available in OAC as if now.However you can discuss the requirement with the Juniper Account team to Enhance the product to support such complex requirement.