Help with certificates on SA

  • Hello all

    Was hoping someone could lend me a hand. The whole issue of certificates quite frankly gives me a headache. A dark art some would call it.

    Anyway, before I embark on writing a design and implementing a RAS solution for a customer using the Junos Pulse SA Service I wanted to test it all out in a lab environment to understand it a bit better as it’s my first time using the product.

    The requirements are that the user’s machine should be checked to ensure it has a valid certificate signed/issued by the internal PKI. So to simulate this I have setup a Server 2008 root CA (single tier) with which I have created my root cert and private key. In order to simulate the machine certificate verification I have created a certificate template on the PKI using the template ‘Workstation Authentication’ that has the following properties:

    Algorithm: ECDH 256, HASH: SHA256
    Subject Name: Format: Common Name, Include UPN
    Permissions: Domain Computers - Read, Autoenroll

    I then use a GPO to push this out to my lab Windows 8.1 VM.

    My thinking now is that the machine now has a client/machine certificate. Using the MMC snap-in I can verify that the cert has indeed been sent to the Windows 8 machine signed by the CA. With this I now upload the root CA cert to the SA under the System > Configuration > Certificates > Trusted Client CA section. I then enable the certificate check under the User Realms > Realm Name > Authentication Policy > Certificate section.

    With this my hope is that prior to authentication the host machine will have the certificate checked, the SA then compares this to the uploaded root CA and sees it has been signed by the same internal PKI and voila, it’s passed.

    Unfortunately that is not the case as I just keep getting the dreaded “Error 1332 Missing or invalid certificate error” when trying to log in.

    I’m at a loss here. Can someone shed a light on how to fix this?

    Many thanks

  • Hello,

    I hope you’ve already resolved the issue. If not, here are a few points

    • import the CA certificate as a Trusted Client CA

    • import the CA certificate as a Client Auth Certificates (doesn’t sound logical, but it helped)

    • follow the documentation


  • I tried to follow the instructions.