Okay, here I am replying to my own message to provide info for others that bang their head against the same problem. I discovered that when you are working with Ipads the certs will work with: Signature algorithm sha256WithRSAEncryption X509v3 Basic Constraints critical : CA:FALSE X509v3 Subject Key Identifier: ---redacted--- X509v3 Key Usage: Digital Signature X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection In xca I completely removed all Netscape options (SSL Client, SSL Server, S/MIME, etc.) TLS Web Client was probably not necessary. Other options will most likely work, I just wanted to provide what worked for me. This just represents some of the bare bones requirements to allow the cert to show up not just in the Ipad profiles but in the Junos Pulse as well. The signature algorithm is probably the key factor, if you pardon the pun. Have fun. I hope this helped someone.
... View more