Project

General

Profile

Actions
Copy link

Feature #15527

open

IPSec Profile Wizard/Windows: Filter User Certificate by Issuer

Added by Alex Bryant 7 months ago. Updated 6 months ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
IPsec Profile Wizard
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Windows EAP config has an option to filter which user certificates can be used by their issuer, so only these certificates appear in the dropdown on the GUI (or if there is only one matching certificate, the user is not prompted for one). If a user certificate is included in the download archive, could the following node be included in the script to filter by that certificate's issuing CA? Or even for the VPN's configured peer CA?

...
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
     <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
          <CAHashList Enabled="true">
               <IssuerHash>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </IssuerHash>
          </CAHashList>
     </FilteringInfo>
</TLSExtensions>
...

This is useful in cases where the user has multiple user certificates installed with Client Authentication capability issued by different authorities (maybe just me lol), as it filters to just the certs this VPN will accept.

Files

example-vpn-config.xml (1.95 KB) example-vpn-config.xml Example EAP Host Config with this option Alex Bryant, 05/30/2024 06:13 PM
Actions
Copy link

Also available in: Atom PDF