Created by: Vishal Gudhka


Introduction:

Certificate-Based Authentication is a strong security mechanism that replaces passwords with digital certificates issued by a trusted CA authority. There are two methods of certificate-based authentication.

  1. User Certificate-Based Authentication
  2. Device Certificate-Based Authentication

 

User Certificate-Based Authentication

Certificate Issuance

  • The client certificate is issued to a user identity (e.g., vishal.gudhka@outlook.com or vishal.gudhka).
  • The client certificate is stored under the “Personal” Store of the Current User (Windows Current User store or macOS Keychain). 

 

Device Certificate-Based Authentication

Certificate Issuance

  • The client certificate is issued to a device identity (hostname, serial number, or UUID).
  • The client certificate is stored in the local machine certificate store (Trusted at the OS level, macOS system Keychain, TPM, or pushed via MDM/Intune)

 

Key Difference between User and Device certificate-based authentication

In practice, the significant difference lies in the location where the certificate is stored.

Example,

  1. When a client certificate is generated with the subject common-name = vishal.gudhka.
  2. If you store this certificate at the Personal Store level of the current user, then you can use “User cert-based authentication”. OR
  3. If you store this certificate on the Local Machine's Personal Store, then you can use “Device cert-based authentication”
  4. Note: If you store the same certificate in the Personal Store of both the local Machine and the current user, then Enterprise can switch between user- or device-based certificate authentication.

Configuration on Concerto

The configuration of User and Device Certificate-Based Authentication is the same, except you either choose “User Certificate Based” or “Device Certificate Based.”

Steps:

  • Go to Configure à User and Device Authentication à Profiles à Click “+Add” to create a new Profile.

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Choose “User Certificate Based” or “Device Certificate Based” option à Click Get Started.

A screenshot of a computer screen

AI-generated content may be incorrect.

 

  1. Under Client CA Chain, upload the CA and the Intermediate (if it exists) certificates.
  2. Under Username Identifying Field in Certificate: You can choose either
    1. Subject Common-name
    2. Subject-Alternative-name email
    3. Subject-Alternative-name principal name
  3. Leave the rest of the fields to defaults and Click “Next”

A screenshot of a computer

AI-generated content may be incorrect.

 

  1. Go to Review & Submit Tab à Give the Filename à Click “Save”.

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Go to Configure à Secure Access à Client-based Access à Settings.
    1. Choose the Authentication profile under “Default Authentication Profile”

A screenshot of a computer

AI-generated content may be incorrect.

  • Publish the changes to the SSE Gateways.

 

SASE Client

  1. On your laptop, please install the client certificate.
  2. On your SASE client, perform registration as follows.

 

  1. Upon Successful registration, the user will be connected to the SASE/SSE gateway.