Forum Discussion

schmuck's avatar
schmuck
Icon for Nimbostratus rankNimbostratus
Jun 17, 2014

Automatically select a client certificate in a mobile device

We are doing client certificate authentication. Everything works fine if the device only has one certificate. Unfortunately a deployment of AirWatch has made certificates on user devices a bit more plentiful. There are multiple certificates with different issuers. I am only concerned with one of the issuers. Right now, if the user gets lucky and manually selects the correct certificate (the names are not helpful) all is good. If they don't, they're in trouble. Is there a way to automatically look for the cert signed by the Root CA Chain that we have instead of prompting the user? Basically look for [X509::issuer [SSL::cert]] and reject it if it isn't domain.com and then inspect the next one and accept it if it is issued by domain.com?

 

application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
LTM
security

2 Replies

Sort By
  • Alexey_384's avatar
    Alexey_384
    Historic F5 Account
    Jun 18, 2014

    With some exception, the answer is 'no'. Machine Cert agent allows search through the store, but is supported on Win and Mac only. In case of mobile Edge client you can specify the cert that will be used for exact vpn connection. But in case of browser I don't know the way to specify the cert, browser just shows the list of all available valid certs.

     

  • Ben_Thornton_10's avatar
    Ben_Thornton_10
    Icon for Nimbostratus rankNimbostratus
    Mar 17, 2015

    Don't know if this is still an issue for you but if you bake the client certificate and the F5 VPN configuration into the Airwatch iOS profile then you don't get the prompt. This has worked for me since AW 6.3. We are currently on AW 7.3 HF7 and still working with no issues. If you need more info let me know.

     

    Also might be worth looking at "Advertised Certificate Authorities" in the client ssl profile under Client Authentication (FTI I am on 11.5.1). Not tried it myself so cannot verify if it will work or not but worth investigating.