Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Traffic Script - Restrict to only a single client certificate

SOLVED
Go to solution
martin.scarrow
Occasional Contributor
‎11-02-2017 07:14:AM
‎11-02-2017 07:14:AM

Traffic Script - Restrict to only a single client certificate

Hi

 

We have a Virtual Server that we require a client certificate, and we check it against a customers CA.

 

What our customer is asking if we can restrict it to a single certificate signed by this CA rather than any cert signed by the CA.

 

I have tried to created the following traffic script, to check if the cert is issued by the CA and if the serial number matches, and if it doesnt return a 403 Forbidden, otherwise carry on:

$issuer = ssl.clientCertIssuer();
$serial = ssl.clientCertSerial();
if($issuer != "ROOT_CA" && $serial != ‎"AA BB CC DD EE 11 22 33 44 55 66 77 88 ") { 
http.sendResponse( 403, "text/html", "Forbidden","" );
}

but it is erroring at the start of the serial number:

 

Error: line 4: illegal character: ^"
if($issuer != "ROOT_CA" && $serial != ‎"AA BB CC DD EE 11 22 33 44 55 66 77 88 ") {
                                      ^
Error: line 4: illegal character: ^�
if($issuer != "ROOT_CA" && $serial != ‎"AA BB CC DD EE 11 22 33 44 55 66 77 88 ") {
                                       ^
Error: line 4: illegal character: ^�
if($issuer != "ROOT_CA" && $serial != ‎"AA BB CC DD EE 11 22 33 44 55 66 77 88 ") {
                                        ^

 

 

 

 

Am I doing this the correct way, or is there a better way to restrict it to a single client certificiate?

 

Thanks in advance

 

Martin

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Yousaf.Shah
Moderator
Moderator
‎11-02-2017 11:41:AM
‎11-02-2017 11:41:AM

Re: Traffic Script - Restrict to only a single client certificate

Hi Martin, 
 
There seems to be a unicode character after '$serial =', can you copy that to a notepad (or similar) and then copy/paste it back to the rule or copy the following: 

 

$issuer = ssl.clientCertIssuer(); 
$serial = ssl.clientCertSerial(); 
if($issuer != "ROOT_CA" && $serial != "AABBCCDDEE1122334455667788" ) 
{ 
http.sendResponse( 403, "text/html", "Forbidden","" ); 
}

 

 

By the way, the clientCertSerial() doesn't contain spaces.


 Yousaf

View solution in original post

0 Kudos
1 REPLY 1
Yousaf.Shah
Moderator
Moderator
‎11-02-2017 11:41:AM
‎11-02-2017 11:41:AM

Re: Traffic Script - Restrict to only a single client certificate

Hi Martin, 
 
There seems to be a unicode character after '$serial =', can you copy that to a notepad (or similar) and then copy/paste it back to the rule or copy the following: 

 

$issuer = ssl.clientCertIssuer(); 
$serial = ssl.clientCertSerial(); 
if($issuer != "ROOT_CA" && $serial != "AABBCCDDEE1122334455667788" ) 
{ 
http.sendResponse( 403, "text/html", "Forbidden","" ); 
}

 

 

By the way, the clientCertSerial() doesn't contain spaces.


 Yousaf

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.