This article provides the steps to configure certificate authentication with Pulse Desktop Client for Linux.
This feature is available in Pulse Desktop Client for Linux starting with PCS 8.3R1 and Pulse 5.3R1.

Click here for the video portion of this article.
 

Features:

• Starting with the release of PCS 8.3R1 and Pulse Linux 5.3R1 client certificate authentication is supported with Pulse Desktop Client for Linux.
• Linux users can authenticate and establish a VPN session by selecting a certificate from the Login keyring store.
• There is no additional licensing required to enable this feature.
• There are no notable impacts to scale or performance with this feature.

Linux client Prerequisites:

• The Pulse Desktop Client 5.3R1 installer should be saved locally to the Linux client or be available to download from a network share. (The packages can be downloaded from the PCS Admin Installers page or from https://my.pulsesecure.net.  See KB40028 - [Customer Support Tools] How to download software using the Licensing & Download Center at my.pulsesecure.net for instructions on downloading software.)
• libgnome keyring must be installed (This will get installed during Step 1 of the Pulse Linux installation.)
  • Login keyring must exist in Password And Keys menu.
  • Login keyring will not be created when using the "Trying Ubuntu without installation" causing certificate authentication installation script to fail.
• Provide the Linux user with the Sign-in URL of PCS device.
• The Client-side certificate (and private key file for .der or .pem format) along with the password for private key should be downloaded and saved locally to the Linux client--or available from a network share. 

Certificate formats supported:

• cert.der - Binary format
• cert.pem - Base 64encoded ASCII format
• cert.pfx - Binary format for storing the certificate, any intermediate certificates and private key in one encryptable file.

PCS Device Prerequisites: (Not covered in this article)

• The certificate authorities for the client-side certificates being used for authentication should be imported to the PCS device trusted client CA store. 
• A Sign-in URL configured with a realm that authenticates to a certificate server and maps the user to a role that has Pulse configured on it should be configured.

Note:  Certificate authentication will only work using the Pulse UI.  This feature remains unsupported for the CLI.

Step 1: Install the Pulse Client and Depedencies

1. From the Linux client, run the following command to install the Pulse client:

sudo dpkg --install /mnt/hgfs/shared_dir/pulse-5.3R1.i386.deb

2. Install the dependency packages by running the following script:

/usr/local/pulse/PulseClient.sh install_dependency_packages

 

Step 2: Verify Pulse installation

       Go to Applications and confirm that the Pulse client is installed with the following application icon:

      

Step 3: Install the client-side certificate to the Pulse certificate store

1. Run the following command to see the options for installing the certificate to the Pulse certificate store:

/usr/local/pulse/PulseClient.sh install_certficates

Important! Pay close attention to the username stated during certificate installation.  The certificate will only be available to the following user.  It is not recommend to proceed as 'root'.

2. Enter 'y' to confirm the client certificate is being installed for the local signed-in user.
3. The client certificate installation options will be displayed on screen along with options to view and delete certificates from the Pulse Linux certificate store.  

Step 4a: Install a certificate in .pem or .der format

1. To install the certificate in .pem or .der format, use the following command:​

/usr/local/pulse/PulseClient.sh install_certficates -inpriv </PathtoCertPasswordFile/passwordFile.key> 
-inpub </locationOfCertificate/cert.pem>

2. Specify the location and file name of the private key password file with the -inpriv option.
3. Specify the location and file name of the certificate file with the -inpub option.

/usr/local/pulse/PulseClient.sh install_certificates -inpriv /mnt/hgfs/shared_dir/certs/fruitCert.key 
-inpub /mtn/hgfs/shared_dir/certs/fruitCert.pem

(In the example above the private key password file and the certificate file are located in the same network share directory.  The files can be in different directories.  Just be sure to specify the proper location for each.)

4. Enter 'y' to verify the certificate is being installed for the local user.
5. Verify that the certificate was successfully installed with the output: Successfully added certificate to Pulse Certificate store.

Note: If the import fails, ensure "Login" exists in the "Password and Keys" menu.  If it does not exist, log out and login again should create the Login keyring.

Step 4b: Install a certificate in .pfx or .p12 format

1. To install the certificate in .pfx format, use the following command:​

/usr/local/pulse/PulseClient.sh install_certificates -inpfx /mnt/hgfs/shared_dir/10.30.113.196.pfx

2. Enter 'y' to confirm the client certificate is being installed for the local signed-in user.
3. Enter the import password. 
4. Verify that the certificate was successfully installed with the output: Successfully added certificate to Pulse Certificate store.

Note: If the import fails, ensure "Login" exists in the "Password and Keys" menu.  If it does not exist, log out and login again should create the Login keyring.

Step 5: Add new connection to Pulse and connect

1. Launch Pulse and click the '+' button to add a connection.
2. Add a name for the connection.
3. Enter the connection URL. (Obtain from PCS admin.)
4. Click Save.  The connection will be added to the Pulse connection list.
5. Click Connect to launch the new connection.
6. If multiple certificates are found in the Pulse certificate store they will be displayed under the connection.  
7. Click View to display the certificate details for each certificate.
8. Select the certificate and click Continue.
9. The "Connect" button will change to "Disconnect" once the connection is complete.
10. Click the expand button for the active connection to view the status.
11. Click File > Connections > Advanced to confirm VPN connectivity.

 

Troubleshooting Steps:

Run the following command to check if certificate is installed:

/usr/local/pulse/./PulseClient_x86_64.sh list_installed_certificates

This should list all installed certificates.  If "No Certificates Found" appears, then check the following directory for a .PEM certificate.

ls -l ~/.pulsesecure/pulse/certificates/
-rw-r--r--@   1 JTAC  JTAC   1570 Sep  5 11:24 jTf65alvZgxc-pub.pem 

If a .PEM certificate does not exist, then change the file extension to .PEM using MV command, then run the list_installed_certificates switch again.

If the certificate is not listed:

If the certificate is not listed, then check the permission on the files in ~/.pulsesecure/pulse/certificates/  directory. In the above example, JTAC has permission to both the public key file. If the current login user is different, then execute chown command to ensure the current login user has permission to the following files.

For example, if the current login user is support, then the following command would be executed:

sudo chown support ~./pulsesecure/pulse/certificates/public.*

 

If the certificate is listed:

Check the pulsesvc.log for the following entries:

cert_store.error Failed to find the keys from gnome keyring                 
for certificate public_tmp (cert_store.cpp:186)
pulseui.info No certificate found in cert store (pulseCertAuth.cpp:244)

1. Ensure the private key entry exists under "Password and Keys"
   • An entry for Pulse Service should exist
   • In Details tab
     • The owner is pulsesvc
     • The key-name matches the public key filename in the certificate directory.  

2. Ensure the complete certificate chain is installed under Trusted Client CAs on the Pulse Connect Secure device (including all root certificate, intermediate certificate(s) and the signer certificate).
3. Under Trusted Client CAs, confirm the checkbox is enabled for Participate in Client Certificate Negotiation for the CA that signs the end user certificates.

Refer to the Configuring Options for Trusted Client CA Certificates section in the PCS Admin Guide for more details.