Reset Search



KB21309 - IKEv2 using Machine Certificate for authentication

« Go Back


Last Modified Date8/2/2015 7:00 PM
This article provides information on how to setup IKEv2 by using a Machine Certificate for authentication.
Problem or Goal
User fails to authenticate by using a Machine Certificate via PCS IKEv2 and Windows 7.

Typical errors are:
  • Policy Mismatch. 
  • IKE authentication credentials are unacceptable.
For the initial setup, refer to the Using IKEv2 on Pulse Secure Access Appliance document.

In addition to the How-to document,  adhere to the following requirements for a Machine Certificate to work properly.

On the PCS device:
  1. Enable VPN tunneling on the role and configure IKEv2 using the referenced document above.
  2.  The PCS Device Certificate has EKU (Enhanced  Key Usage) support for Web Server Authentication and Web Client Authentication (refer to Image 1). 
  3. The Client Machine Certificate ROOT CA is installed in PCS Configuration > Certificates > Trusted Client CAs.
On the Client PC:
  1. Make sure that the Machine Certificate has EKU (Enhanced Key Usage) support for Web Server Authentication (refer to Image 1).
  2. Install the Machine Certificate in the Personal >  Certificates folder in the Local Computer (Computer Account). Use MMC.exe to import it to the proper folder (refer to  Image 2).
  3. Install the PCS Device Certificate Root CA in the Trusted Root Certification Authorities > Certificates folder in the Local Computer (Computer Account). Use MMC.exe to import it to the proper folder (refer to image 2).

Image 1 - Certificate with EKU (Enhanced Key Usage):

Image 2 - MMC console for Local Computer (Computer Account) certificate store:

Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255