Forum Discussion
Greg_33216
Nimbostratus
NimbostratusUsing a local certificate and protected configurations
Hello,
I hope someone can help here as this has been doing my head in for a number of weeks now. I want to use a scenario on Firepass 6.1 where a resource group is protected by a 'Protected Configuration'. The main check is for a certificate installed on the machine issued by our Microsoft CA server. I have installed the client root certificate onto the firepass and this certificate is signed by our CA server and seems to have worked. Once the user has our Root Microsoft CA server certificate imported from the signing server "server01" (same one that signed the firepass certificate request) imported into their trusted store then the client web browser no longer complains that the Firepass is using a non trusted certificate.
Where I am falling apart is checking the issuing CN = "Server1" field on the certificate generated for the client machines. These certificates are using the Web server template and are signed on the same Microsoft CA server. When I view the certificate the "issued by" field shows 'server01'. I have imported them using the MMC snap into both the user store and the local machine store.
I have the pre-logon inspection running the Windows Machine Certificate Inspector and I am using inspectors check details the following way;
Cert Store Name: MY
Sert Store Location: Current User
Cert Match Rule: Issuer (regex match)
SubjectAltName(regex): blank
Issuer(regex): |CN = (server01)|
SerialNumber: blank
I have the logger turned on which is set to dump the certificate fields and also with a note to say "Cert Found and Verified" when session.cert_check.last_check.result ==1, "Cert found no match" when session.cert_check.last_check.result ==2 and "No Cert found" when going to fallback. I also try and dump the following logger action CN Issuer=%session.ssl.cert.issuer.cn% which only returns "CN Issuer =" with no data.
I am starting to think that it is not even finding a certificate. It always seems to go through the fallback branch. The client side pre-logon process shows the message that it is checking for certificates and google desktop etc... so I am sure the right inspection sequence is being used.
Any help would be much appreciated. I try and work out as much as I can myself before calling in the cavalry but so far have come up blank with my own efforts and finding a similar scenario in a posting somewhere.
cheers,
Greg
Mike_61719Cirrus
Can you enable the session variables and logon? Then post them if you can. Once you post them we can tell.
Greg_33216It looks like it does not like my certificate......
Session Variable %session.cert_check.cert_check9187.far_ispector_version%= ' '
Session Variable %session.cert_check.cert_check9187.agent_id%= ' F5_win_cert_check '
Session Variable %session.cert_check.cert_check9187.agent_version%= ' 1.0 '
Session Variable %session.cert_check.cert_check9187.data_version%= ' 1.0 '
Session Variable %session.cert_check.cert_check9187.id%= ' cert_check9187 '
Session Variable %session.cert_check.cert_check9187.result%= ' 0 '
Session Variable %session.cert_check.cert_check9187.message%= ' The certificate is not valid. '
Session Variable %session.cert_check.last_check.far_ispector_version%= ' '
Session Variable %session.cert_check.last_check.agent_id%= ' F5_win_cert_check '
Session Variable %session.cert_check.last_check.agent_version%= ' 1.0 '
Session Variable %session.cert_check.last_check.data_version%= ' 1.0 '
Session Variable %session.cert_check.last_check.id%= ' cert_check9187 '
Session Variable %session.cert_check.last_check.result%= ' 0 '
Session Variable %session.cert_check.last_check.message%= ' The certificate is not valid. '
This may have something to do with how I originally installed the certificate from our MS CA server I would say. I might try going through the setup of all this again to see if this resolves the problem.- Mike_61719Can you post your check for session.cert_check.cert_check9187
The paramaters for the check at least. - Greg_33216The parameters are the same as I posted in the 1st message. A screen shot is attached. I've also attached a screenshot of the sequence I am using to test this all with. Thanks for your help to by the way.
cheers,
Greg - Mike_61719When you installed the certificate on the local machine where did you store it? I believe you have to set the location to local machine. I never got the user store working right.
- Greg_33216I've used the MMC to install it both locally and in the current user profile. Tweaking the inspector to check for local machine as opposed to current user has the same result.
Incidently, the store name is "MY". Would changing this to "Personal" to match the name on the tab in windows make a difference? I'm unsure as to what this "MY" refers to.
cheers,
Greg - Mike_61719
Posted By Greg on 12/31/2009 7:43 AM
I've used the MMC to install it both locally and in the current user profile. Tweaking the inspector to check for local machine as opposed to current user has the same result.
Incidently, the store name is "MY". Would changing this to "Personal" to match the name on the tab in windows make a difference? I'm unsure as to what this "MY" refers to.
cheers,
Greg
What does it show up as in IE? Under Personal or trusted or Intermediate?
What about the registry? Check to see which location it is in. Remember it depends on who installs it when trying to access it.
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER - Mike_HoThe "MY" store is the same thing as the Personal store.
Are you sure your issuing certificate regex is correct? I had a heck of a time creating a regex for an issuer check and ultimately I ended up matching on the entire issuer string. That would only be a problem if you in fact have multiple issuing CAs. - Greg_33216Thanks Mike and Michael for getting back on this one.
I think I have got it to the point where it is looking at the certificate now. As you say though, the regex is quite a mission to get working.
When I use the string; ^.*CN=server01, DC=subdomain, DC=domain, DC=com.*$ is get a "The certificate is not valid.
Session Variable %session.cert_check.last_check.agent_id%= ' F5_win_cert_check '
Session Variable %session.cert_check.last_check.agent_version%= ' 1.0 '
Session Variable %session.cert_check.last_check.data_version%= ' 1.0 '
Session Variable %session.cert_check.last_check.id%= ' cert_check9187 '
Session Variable %session.cert_check.last_check.result%= ' 0 '
Session Variable %session.cert_check.last_check.message%= ' The certificate is not valid
If I use the string 'CN=server01, DC=subdomain, DC=domain, DC=com' I get "The specified certificate is NOT installed on the client computer";
Session Variable %session.cert_check.last_check.far_ispector_version%= ' '
Session Variable %session.cert_check.last_check.agent_id%= ' F5_win_cert_check '
Session Variable %session.cert_check.last_check.agent_version%= ' 1.0 '
Session Variable %session.cert_check.last_check.data_version%= ' 1.0 '
Session Variable %session.cert_check.last_check.id%= ' cert_check9187 '
Session Variable %session.cert_check.last_check.result%= ' 0 '
Session Variable %session.cert_check.last_check.message%= ' The specified certificate is NOT installed on the client computer.
I've attached a couple of screenshots with my regex statement and the certificate. These are mock ups as I don't really want to be posting the real stuff obviously for security reasons. If anyone can tell me where my regex has gone wrong it will be very much appreciated.
cheers,
Greg - Mike_HoThe one key thing you haven't shown us is that in Device Management -> Security -> Certificates you have installed the issuing certificate in the "Client Root Cert(s)" store. Click "details" next to the CA cert and verify it has the correct subject identifier.