Browser not prompting/selecting client cert for GP portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Browser not prompting/selecting client cert for GP portal

L6 Presenter

Does anyone know exactly what is needed for browser to either select or prompt for client certificae when connecting to GP portal?

I know you need a client sert in personal user store and certificate profile on GP portal.

 

But still i find the behaviour very random.

I have 3 GP portals with self signed CA. And a few test machines.

For 1st portal get prompted if I have the correct CA in trusted root and a client certificate from the same root from every machine.

For 2nd portal i have mixed situation; some machines get prompted, some don't.

For 3rd portal I don't get prompted anywhere.

 

There is never any difference between different browsers. Either all prompt or none.

 

I also have one test machine which prompts for 1st portal, but doesn't prompt for 2nd even tho it doesn't have either of those 2 CAs as trusted root.

 

So what are all the required components to have a browser either use or prompt for user certificate?

From my testing; you need client cert in user store, cert from the same CA in trusted root, appropriate cert profile on GP portal. But in some cases even when you have all those the browser doesn't use or prompt for client cert. What else is missing? 

 

I know it's not PA issue, but non-PA self signed CA is the one on first portal which works the best. And most issues are happeneing on PA self signed CAs. .
 

6 REPLIES 6

L6 Presenter

Just to add; I don't have neither CRL nor OCSP checking and all 3 'block session' options in certificate profile are off.

After some packet capture I think it comes down to whther GP portal sends 'certificate request' during TLS handshake or doesn't. But I can't figure out why it does sometimes and why it doesn't.

 

Anyone knows what conditions must be met for GP portal to send 'certificate request' during TLS handshake? Only certificate profile isn't enough.

Hi @santonic , did you find something? 

I am trying to find out what is the logic. I have 2 PAs, each with just 1 portal, both are sending the certificate request during TLS handshake (self signed certificate). If i create a second portal on both PA, using the same certificate profile, the certificate request is missing.

I am now testing on a old PA3050 creating a similar configuration, but certificate request is not sent during TLS handshake.

 

Regards

Christian

L6 Presenter

Hey @Cbrasolin . I'm afraid I don't remember how this story ended back in 2018, I guess I'm getting old...  🙂

Hi @santonic , i found the problem.

Both portal and gateway (in the same interface) must use the same certificate profile under authentication->certificate profile. If the portal has a certificate profile configured, but the gateway not, the request in the tls handshake is missing. I suppose that since the portal and gateway share the same web server daemon, the configuration must be consistent.

It seem also that if certificate is verified under the agent configuration "machine device check", is not enough to have the certificate profile under the portal data collection tab, the profile is needed also on the authentication tab.

 

Anyway, my case was that the gateway was not configured with the certificate profile.

 

Regards,

L6 Presenter

Ok, thanx for the info. But I think I have some deployments, where certificate is required to connect to gateway but not required when connecting to portal. But as I said I am not certain, I will have to check.

  • 2804 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!