topic Re: Browser not prompting/selecting client cert for GP portal in General Topics

Browser not prompting/selecting client cert for GP portal

santonic — Fri, 13 Jul 2018 12:00:24 GMT

Does anyone know exactly what is needed for browser to either select or prompt for client certificae when connecting to GP portal?

I know you need a client sert in personal user store and certificate profile on GP portal.

But still i find the behaviour very random.

I have 3 GP portals with self signed CA. And a few test machines.

For 1st portal get prompted if I have the correct CA in trusted root and a client certificate from the same root from every machine.

For 2nd portal i have mixed situation; some machines get prompted, some don't.

For 3rd portal I don't get prompted anywhere.

There is never any difference between different browsers. Either all prompt or none.

I also have one test machine which prompts for 1st portal, but doesn't prompt for 2nd even tho it doesn't have either of those 2 CAs as trusted root.

So what are all the required components to have a browser either use or prompt for user certificate?

From my testing; you need client cert in user store, cert from the same CA in trusted root, appropriate cert profile on GP portal. But in some cases even when you have all those the browser doesn't use or prompt for client cert. What else is missing?

I know it's not PA issue, but non-PA self signed CA is the one on first portal which works the best. And most issues are happeneing on PA self signed CAs. .

Re: Browser not prompting/selecting client cert for GP portal

santonic — Fri, 13 Jul 2018 13:29:20 GMT

Just to add; I don't have neither CRL nor OCSP checking and all 3 'block session' options in certificate profile are off.

Re: Browser not prompting/selecting client cert for GP portal

santonic — Tue, 17 Jul 2018 06:57:36 GMT

After some packet capture I think it comes down to whther GP portal sends 'certificate request' during TLS handshake or doesn't. But I can't figure out why it does sometimes and why it doesn't.

Anyone knows what conditions must be met for GP portal to send 'certificate request' during TLS handshake? Only certificate profile isn't enough.

Re: Browser not prompting/selecting client cert for GP portal

Cbrasolin — Thu, 16 Nov 2023 07:09:00 GMT

Hi @santonic , did you find something?

I am trying to find out what is the logic. I have 2 PAs, each with just 1 portal, both are sending the certificate request during TLS handshake (self signed certificate). If i create a second portal on both PA, using the same certificate profile, the certificate request is missing.

I am now testing on a old PA3050 creating a similar configuration, but certificate request is not sent during TLS handshake.

Regards

Christian

Re: Browser not prompting/selecting client cert for GP portal

santonic — Thu, 23 Nov 2023 08:20:52 GMT

Hey @Cbrasolin . I'm afraid I don't remember how this story ended back in 2018, I guess I'm getting old... 🙂

Re: Browser not prompting/selecting client cert for GP portal

Cbrasolin — Fri, 24 Nov 2023 10:16:08 GMT

Hi @santonic , i found the problem.

Both portal and gateway (in the same interface) must use the same certificate profile under authentication->certificate profile. If the portal has a certificate profile configured, but the gateway not, the request in the tls handshake is missing. I suppose that since the portal and gateway share the same web server daemon, the configuration must be consistent.

It seem also that if certificate is verified under the agent configuration "machine device check", is not enough to have the certificate profile under the portal data collection tab, the profile is needed also on the authentication tab.

Anyway, my case was that the gateway was not configured with the certificate profile.

Regards,

Re: Browser not prompting/selecting client cert for GP portal

santonic — Tue, 28 Nov 2023 11:30:41 GMT

Ok, thanx for the info. But I think I have some deployments, where certificate is required to connect to gateway but not required when connecting to portal. But as I said I am not certain, I will have to check.

Re: Browser not prompting/selecting client cert for GP portal

TErwineFIATech — Thu, 14 Aug 2025 20:04:01 GMT

Thanks for this! This solved the issue for me as well.