Forum Discussion
Greg_33216
Nimbostratus
NimbostratusUsing a local certificate and protected configurations
Hello,
I hope someone can help here as this has been doing my head in for a number of weeks now. I want to use a scenario on Firepass 6.1 where a resource group is protected by a 'Protected Configuration'. The main check is for a certificate installed on the machine issued by our Microsoft CA server. I have installed the client root certificate onto the firepass and this certificate is signed by our CA server and seems to have worked. Once the user has our Root Microsoft CA server certificate imported from the signing server "server01" (same one that signed the firepass certificate request) imported into their trusted store then the client web browser no longer complains that the Firepass is using a non trusted certificate.
Where I am falling apart is checking the issuing CN = "Server1" field on the certificate generated for the client machines. These certificates are using the Web server template and are signed on the same Microsoft CA server. When I view the certificate the "issued by" field shows 'server01'. I have imported them using the MMC snap into both the user store and the local machine store.
I have the pre-logon inspection running the Windows Machine Certificate Inspector and I am using inspectors check details the following way;
Cert Store Name: MY
Sert Store Location: Current User
Cert Match Rule: Issuer (regex match)
SubjectAltName(regex): blank
Issuer(regex): |CN = (server01)|
SerialNumber: blank
I have the logger turned on which is set to dump the certificate fields and also with a note to say "Cert Found and Verified" when session.cert_check.last_check.result ==1, "Cert found no match" when session.cert_check.last_check.result ==2 and "No Cert found" when going to fallback. I also try and dump the following logger action CN Issuer=%session.ssl.cert.issuer.cn% which only returns "CN Issuer =" with no data.
I am starting to think that it is not even finding a certificate. It always seems to go through the fallback branch. The client side pre-logon process shows the message that it is checking for certificates and google desktop etc... so I am sure the right inspection sequence is being used.
Any help would be much appreciated. I try and work out as much as I can myself before calling in the cavalry but so far have come up blank with my own efforts and finding a similar scenario in a posting somewhere.
cheers,
Greg
13 Replies
Greg_33216Thanks Michael for getting back on this...
I'm subsituting the real names but the exact equivalent to the examples I have used above would be
Subject: DC=com, DC=mydomain, DC=subdomain, CN=server01 (this is for the client root certificate on the firepass)
The Issuer details also show the same as above.
On the client PC, the issuer fields look the same however the subject is different. It is the equivalent of;
E = myemail@mydomain.com
CN = firstnamelastname
OU = MyDepartment
0 = MyCompany
L = London
S = London
C = UK
Do you think the regex field while it says the field it looks to is the Issuer it is actually looking inside the subject fields for a match? Both the client root certificate on the firepass and the certificate both share the same issuer statement identically. There are no differences in case or spaces/special characters.
I'm not expert in certificates but from what I can see I don't know what else to check. Maybe using a regex statement in the SubjectAltName field may have a better chance of working. Only problem with this is I am sure I would get the regex statement wrong....
Thanks anyway for the help so far everyone has been.
cheers,
Greg
ccna55_14039Hello Did you ever get this to work.
I am also having the exact same issue with certs and protected config...
Thanks,
ccna55- ccna55_14039Once i uploaded the Cert to Firepass it was able to read the Client cert successfully.
