KB40126 - How to use the Pulse Secure Linux CLI client.

SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX

SA44601 - 2020-10: Security Bulletin: Multiple Vulnerabilities Resolved in Pulse Connect Secure / Pulse Policy Secure / Pulse Secure Desktop Client 9.1R9

KB43813 - Certificate authentication fails with error "Missing or Invalid Certificate" or other applications that rely on certificate authentication may fail after upgrading to the Pulse Mobile 7.0.0 for iOS

KB40397 - What's New - Pulse Secure Knowledge Base.

KB21828 - Pulse Secure Desktop Client does not launch and displays an error, if certificate authentication is configured

SA40241 - Pulse client privilege escalation issue (CVE-2016-2408)

KB43875 - Authentication with Pulse Desktop client fails with "General Error 1300" when Host Checker is configured with a machine certificate policy that is enforced on the role.

KB40111 - Pulse Secure Linux client does not support multiple authentication servers

SA40312 - September 22 2016 OpenSSL Security Advisory

< Back to search results

KB40514 - How to configure certificate authentication with Pulse Desktop Client for Linux

Printable View

« Go Back

Information

Last Modified Date	9/23/2019 5:45 PM

Synopsis

This article provides the steps to configure certificate authentication with Pulse Desktop Client for Linux.
This feature is available in Pulse Desktop Client for Linux starting with PCS 8.3R1 and Pulse 5.3R1.

Click here for the video portion of this article.

Problem or Goal

Features:

Starting with the release of PCS 8.3R1 and Pulse Linux 5.3R1 client certificate authentication is supported with Pulse Desktop Client for Linux.
Linux users can authenticate and establish a VPN session by selecting a certificate from the Login keyring store.
There is no additional licensing required to enable this feature.
There are no notable impacts to scale or performance with this feature.

Linux client Prerequisites:

The Pulse Desktop Client 5.3R1 installer should be saved locally to the Linux client or be available to download from a network share. (The packages can be downloaded from the PCS Admin Installers page or from https://my.pulsesecure.net. See KB40028 - [Customer Support Tools] How to download software using the Licensing & Download Center at my.pulsesecure.net for instructions on downloading software.)
libgnome keyring must be installed (This will get installed during Step 1 of the Pulse Linux installation.)
- Login keyring must exist in Password And Keys menu.
- Login keyring will not be created when using the "Trying Ubuntu without installation" causing certificate authentication installation script to fail.
Provide the Linux user with the Sign-in URL of PCS device.
The Client-side certificate (and private key file for .der or .pem format) along with the password for private key should be downloaded and saved locally to the Linux client--or available from a network share.

Certificate formats supported:

cert.der - Binary format
cert.pem - Base 64encoded ASCII format
cert.pfx - Binary format for storing the certificate, any intermediate certificates and private key in one encryptable file.

PCS Device Prerequisites: (Not covered in this article)

The certificate authorities for the client-side certificates being used for authentication should be imported to the PCS device trusted client CA store.
A Sign-in URL configured with a realm that authenticates to a certificate server and maps the user to a role that has Pulse configured on it should be configured.

Note: Certificate authentication will only work using the Pulse UI. This feature remains unsupported for the CLI.

Cause

Solution

Step 1: Install the Pulse Client and Depedencies

From the Linux client, run the following command to install the Pulse client:

sudo dpkg --install /mnt/hgfs/shared_dir/pulse-5.3R1.i386.deb

Install the dependency packages by running the following script:

/usr/local/pulse/PulseClient.sh install_dependency_packages

Step 2: Verify Pulse installation

Go to Applications and confirm that the Pulse client is installed with the following application icon:

User-added image

Step 3: Install the client-side certificate to the Pulse certificate store

Run the following command to see the options for installing the certificate to the Pulse certificate store:

/usr/local/pulse/PulseClient.sh install_certficates

Important! Pay close attention to the username stated during certificate installation. The certificate will only be available to the following user. It is not recommend to proceed as 'root'.

Enter 'y' to confirm the client certificate is being installed for the local signed-in user.
The client certificate installation options will be displayed on screen along with options to view and delete certificates from the Pulse Linux certificate store.

Step 4a: Install a certificate in .pem or .der format

To install the certificate in .pem or .der format, use the following command:

/usr/local/pulse/PulseClient.sh install_certficates -inpriv </PathtoCertPasswordFile/passwordFile.key> 
-inpub </locationOfCertificate/cert.pem>

Specify the location and file name of the private key password file with the -inpriv option.
Specify the location and file name of the certificate file with the -inpub option.

Example:

/usr/local/pulse/PulseClient.sh install_certificates -inpriv /mnt/hgfs/shared_dir/certs/fruitCert.key 
-inpub /mtn/hgfs/shared_dir/certs/fruitCert.pem

(In the example above the private key password file and the certificate file are located in the same network share directory. The files can be in different directories. Just be sure to specify the proper location for each.)

Enter 'y' to verify the certificate is being installed for the local user.
Verify that the certificate was successfully installed with the output: Successfully added certificate to Pulse Certificate store.

Note: If the import fails, ensure "Login" exists in the "Password and Keys" menu. If it does not exist, log out and login again should create the Login keyring.

User-added image

Step 4b: Install a certificate in .pfx or .p12 format

To install the certificate in .pfx format, use the following command:

/usr/local/pulse/PulseClient.sh install_certificates -inpfx /mnt/hgfs/shared_dir/10.30.113.196.pfx

Enter 'y' to confirm the client certificate is being installed for the local signed-in user.
Enter the import password.
Verify that the certificate was successfully installed with the output: Successfully added certificate to Pulse Certificate store.

Note: If the import fails, ensure "Login" exists in the "Password and Keys" menu. If it does not exist, log out and login again should create the Login keyring.

User-added image

Step 5: Add new connection to Pulse and connect

Launch Pulse and click the '+' button to add a connection.
Add a name for the connection.
Enter the connection URL. (Obtain from PCS admin.)
Click Save. The connection will be added to the Pulse connection list.
Click Connect to launch the new connection.
If multiple certificates are found in the Pulse certificate store they will be displayed under the connection.
Click View to display the certificate details for each certificate.
Select the certificate and click Continue.
The "Connect" button will change to "Disconnect" once the connection is complete.
Click the expand button for the active connection to view the status.
Click File > Connections > Advanced to confirm VPN connectivity.

Troubleshooting Steps:

Run the following command to check if certificate is installed:

/usr/local/pulse/./PulseClient_x86_64.sh list_installed_certificates

This should list all installed certificates. If "No Certificates Found" appears, then check the following directory for a .PEM certificate.

ls -l ~/.pulsesecure/pulse/certificates/
-rw-r--r--@   1 JTAC  JTAC   1570 Sep  5 11:24 jTf65alvZgxc-pub.pem

If a .PEM certificate does not exist, then change the file extension to .PEM using MV command, then run the list_installed_certificates switch again.

If the certificate is not listed:

If the certificate is not listed, then check the permission on the files in ~/.pulsesecure/pulse/certificates/ directory. In the above example, JTAC has permission to both the public key file. If the current login user is different, then execute chown command to ensure the current login user has permission to the following files.

For example, if the current login user is support, then the following command would be executed:

sudo chown support ~./pulsesecure/pulse/certificates/public.*

If the certificate is listed:

Check the pulsesvc.log for the following entries:

cert_store.error Failed to find the keys from gnome keyring                 
for certificate public_tmp (cert_store.cpp:186)
pulseui.info No certificate found in cert store (pulseCertAuth.cpp:244)

Ensure the private key entry exists under "Password and Keys"
- An entry for Pulse Service should exist
- In Details tab
  - The owner is pulsesvc
  - The key-name matches the public key filename in the certificate directory.

Ensure the complete certificate chain is installed under Trusted Client CAs on the Pulse Connect Secure device (including all root certificate, intermediate certificate(s) and the signer certificate).
Under Trusted Client CAs, confirm the checkbox is enabled for Participate in Client Certificate Negotiation for the CA that signs the end user certificates.

Refer to the Configuring Options for Trusted Client CA Certificates section in the PCS Admin Guide for more details.

Related Articles