Forum Discussion
NimbostratusAutomatically select a client certificate in a mobile device
We are doing client certificate authentication. Everything works fine if the device only has one certificate. Unfortunately a deployment of AirWatch has made certificates on user devices a bit more plentiful. There are multiple certificates with different issuers. I am only concerned with one of the issuers. Right now, if the user gets lucky and manually selects the correct certificate (the names are not helpful) all is good. If they don't, they're in trouble. Is there a way to automatically look for the cert signed by the Root CA Chain that we have instead of prompting the user? Basically look for [X509::issuer [SSL::cert]] and reject it if it isn't domain.com and then inspect the next one and accept it if it is issued by domain.com?
2 Replies
With some exception, the answer is 'no'. Machine Cert agent allows search through the store, but is supported on Win and Mac only. In case of mobile Edge client you can specify the cert that will be used for exact vpn connection. But in case of browser I don't know the way to specify the cert, browser just shows the list of all available valid certs.
Ben_Thornton_10Don't know if this is still an issue for you but if you bake the client certificate and the F5 VPN configuration into the Airwatch iOS profile then you don't get the prompt. This has worked for me since AW 6.3. We are currently on AW 7.3 HF7 and still working with no issues. If you need more info let me know.
Also might be worth looking at "Advertised Certificate Authorities" in the client ssl profile under Client Authentication (FTI I am on 11.5.1). Not tried it myself so cannot verify if it will work or not but worth investigating.
