Reset Search
 

 

Article

KB40329 - How to enable the Improved Certificate Preference Selection Method feature in Pulse Secure Desktop client.

« Go Back

Information

 
Last Modified Date7/3/2018 9:05 PM
Synopsis
This article provides details on how to enable the Improved Certificate Preference Selection Method feature in Pulse Secure Desktop client.
Problem or Goal
Cause
Solution

Important Notes!

  • ​Starting in Pulse Secure Desktop 5.2R5 and above, the certificate preference selection method feature is available, but must be manually configured on the Pulse client. To enable it, the Pulse connstore.dat file on the client PC has to be edited to include a client-certificate-selection-rule statement
  • Starting in Pulse Connect Secure 8.3R2 and above, the certificate preference selection method feature is a configurable option using the admin ui and the setting can be pushed to the Pulse client.
To determine the location of the connstore.dat file for versions other that Pulse 5.2R5, please refer to the Client-Side Changes documentation.  The following locations were taken from the 5.2R3 Pulse Secure Desktop Client Client-Side Changes Guide which is applicable to Pulse 5.2R5:
  • Windows: C:\ProgramData\Pulse Secure\ConnectionStore\connstore.dat
  • Mac OSX: /Library/Application\ Support/Pulse\ Secure/Pulse/connstore.dat
Steps to enable Certificate Selection Preference Method in the connstore.dat file:
  1. Create a backup of the original connstore.dat file by renaming it to connstore_backup.dat.
  2. Stop the Pulse Secure Service
    • For Windows, stop the service for "Pulse Secure Service"
    • For macOS, run the command via terminal: 
sudo launchctl unload /Library/LaunchDaemons/net.pulsesecure.AccessService.plist
  1. Open the connstore.dat file in a text editor and save it in the same directory as "connstore.dat" then continue editing. 
  2. Locate the string "client-certificate-location-system" which is included for each connection.
  3. Determine which connection(s) that you wish to enable certificate preference selection method for.  (It may be necessary to add the statement multiple times depending on the number of connections in the file.)
  4. Create a new line entry above this attribute and add one of the following statements:  
 client-certificate-selection-rule: "LEGACY"
 client-certificate-selection-rule: "AUTO"
 client-certificate-selection-rule: "AUTO; PREFER:EKU{SMARTCARDLOGON}"

  1. Start the Pulse Secure Service
    • For Windows, start the service for "Pulse Secure Service"
    • For macOS, run the command via terminal: 
sudo launchctl load /Library/LaunchDaemons/net.pulsesecure.AccessService.plist

Pulse Connect Secure 8.3R2 Admin UI option:

Starting in 8.3R2, a new option was added to the Pulse Connection Settings called Client Certificate Selection Option.

User-added image

  • If Enable Automatic Client Certificate Selection is enabled, the setting will be changed to AUTO
  • If Prefer smart card certificate is enabled, the setting will be changed to AUTO;PREFER:EKU{SMARTCARDLOGON}.
  • If both options are disabled, the setting will be set to LEGACY.

 

Description of the available values:

  • LEGACY -- All certificates that meet the minimal requirements above will have the same rank.
  • AUTO -- All certificates that meet the minimal requirements above are given the same rank.  Higher ranks are given to certificates with Key Usage of Digital Signature AND Enhanced Key Usage of Client Authentication.  If a certificate has Key Usage of Digital Signature OR Enhanced Key Usage of Client Authentication, the certificate will given a lower rank than certificates who have both.  
  • AUTO;PREFER:EKU{SMARTCARDLOGON} -- same as AUTO, but certificates with EKU:SmartcardLogon are given a higher rank.


Minimal requirements for all certificates:

  1. Certificate has a private key
  2. Current time of the machine is within the certificate validity period
  3. Certificate is issued from certificate authority from the Trusted Client CA list on the Pulse Connect Secure (PCS) device
Any certificate that does not meet these requirements is given a rank of 0 and will not be considered.

Example of an original connstore.dat file prior to enabling the feature:
 
ive "xxxxx-xxxx-xxxx-xxxx-xxxxxx" {
  client-certificate-location-system: "false"
  connection-identity: "user"
  connection-policy: "manual"
  connection-policy-override: "true"
  connection-source: "preconfig"
  friendly-name: "Office VPN"
  guid: "yyyyy-yyyy-yyyy-yyyy-yyyyyyy"
  reconnect-at-session-timeout: "true"
  server-id: "ABCDEFGHI"
  sso-cached-credential: "false"
  this-server: "false"
  uri: "https://vpn.pulsesecure.net"
  uri-list: "https://vpn.pulsesecure.net"
  uri-list-randomize: "false"
  uri-list-use-last-connected: "false"
  use-for-connect: "true"
  use-for-secure-meetings: "true"
  version: "10"
}
 

Example of a connstore.dat file after adding the certificate preference selection method statement and setting it to "AUTO":
 

ive "xxxxx-xxxx-xxxx-xxxx-xxxxxx" {
client-certificate-selection-rule: “AUTO”
client-certificate-location-system: "false"
connection-identity: "user"
connection-policy: "manual"
connection-policy-override: "true"
connection-source: "preconfig"
friendly-name: "Office VPN"
guid: "yyyyy-yyyy-yyyy-yyyy-yyyyyyy"
reconnect-at-session-timeout: "true"
server-id: "ABCDEFGHI"
sso-cached-credential: "false"
this-server: "false"
uri: "https://vpn.pulsesecure.net"
uri-list: "https://vpn.pulsesecure.net"
uri-list-randomize: "false"
uri-list-use-last-connected: "false"
use-for-connect: "true"
use-for-secure-meetings: "true"
version: "10" }

Save the changes and run the Pulse client again to confirm the desired result is achieved.
Related Links
Attachment 1 
Created ByMatthew Spiers

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255