Configuring Client Certificate Selection Option

From 9.1R3 release onwards, while Configuring Pulse Connect Secure, the following are the new checkboxes added under Client Certificate Selection Option.

The valid certificates get filtered based on the specifications provided by administrator in the above fields.

Only the filtered certificates get displayed in certificate selection prompt.

Enhanced Key Usage (EKU) field, abbreviated as EKU has following two components to it.

The following table defines EKUText and EKUOID variables:

Variable Description Examples
EKUText Format to be given is: EKUText = string or <comma separated string> or string with regular expression. Custom regular expressions need to be given with the following format: certAttr.EKUText = string or <comma separated string> or string with regular expression. certAttr.EKUText = “TLS Web Server Authentication”, ”E-mail Protection” ,”TLS Web Client Authentication”.
EKUOID Format to be given is: EKUOID = to a.b.c.d.e.f.g.h.i or <comma separated list of EKUOIDs> or OID with regular expressions. This works in both certificate rule as well as custom expressions. Custom regular expressions need to be given with the following format: certAttr.EKUOID = a.b.c.d.e.f.g.h.i or <comma separated list of EKUOIDs> or OID with regular expressions. Customer can create certificates with Custom OIDs. Example: certAttr.EKUOID=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.4,1.3.6.1.5.5.7.3.2

To configure Certificate Matching and Certificate Ranking under Client Certificate Selection Option, the administrator needs to follow the below steps.

  1. Log in to admin console.
  2. Go to Users > Pulse Secure Client > Connections.
  3. Select the connection from the Connections or click New to display the New Connection set configuration page.
  4. Complete the configuration, as required, described in Table 13.
  5. Save the configuration.

Figure 62: Client Certificate Selection Option

Note: Prefer smart card certificate option can be checked only if Enable Automatic Client Certificate Selection option is checked.

If Prefer smart card certificate option is checked, then certificates with client auth EKU set get displayed on the top of the list of certificates and preferred over other certificates.

Accept certificates with smartcard logon Enhanced key Usage option is enabled by default.

Based on the EKU configuration settings, Pulse Desktop Client will pick-up the available certificate and make successful connection.

If end-user has more than one certificates, then Pulse Desktop Client will prompt the end-user to select the certificates to make successful connection.