Device Certificate Troubleshooting

Overview

When configuring device authentication for SDP clients, certificate-related issues may occur. This article covers basic device certificate troubleshooting. For more information about the feature see Controlling Certified Corporate Devices

Troubleshooting

The following are possible troubleshooting steps that can be taken while investigating Device Certificate issues.

1. As mentioned in Use the Client Connectivity Policy to Manage your Device Authentication Requirements, the device certificate per OS configuration should be done using the Client Connectivity Policy.

Under Device Posture, you can create Device Checks for certificates (supported on these Client versions) that are installed on the end-user device. The check validates that there is a certificate installed on the device that matches one of the signing certificates defined for the account. For more information, see Creating a Device Certificate Device Check

Alternatively, if device authentication is done under Access -> Client Access -> Device Authentication, verify that the interesting OS is listed as required and not as blocked.

2. All the CA certificates uploaded to CMA are listed under Access -> Client Access -> Device Authentication. These are Certificate Authority certificates that signed the device certificate. Clicking on the "Show details" icon lists the certificate details in readable form.

3. It's important to confirm that the CA certificate isn't expired. If it is, the PoP allows the connection only if the certificate authority signed the device certificate before it expired. For device certificates, Cato doesn’t allow a Client to connect with an expired certificate. For more information, see Handling Expired Certificates

4. One way to ensure that the necessary CA certificates are uploaded to CMA is to look at the client certificate chain (certification path). In this example, the client certificate was signed by the intermediate certificate with "CN= Issuing CA Client", which in turn was signed by the root certificate with "CN= Root CA". These have to match the certificates installed in CMA.

5. As per RFC3280, the Authority Key Identifier of the client certificate must match the issuer's Subject Key Identifier (in this case, the Intermediate Certificate). This is another way to confirm that the correct intermediate and root CA certificates are uploaded to CMA.

6. After we make sure that the configuration looks good and that the certificate is valid, we will verify that the certificate is present on the client's OS.

Note: For more information about certificate distribution, see Distributing and Installing Device Certificates

Windows:

In Windows, device certificates must be installed on the Local Computer and not under the Current User. There are two ways to verify the existence of the device certificate:

• Open the command prompt and type certutil -store My to list all the available user certificates on the device. In the example below, the first certificate issuer matches the subject of the CA certificate installed in step #2. If this isn't the case, the client doesn't have the necessary certificate on the device.
  Certutil is a very powerful tool that can be used to list, revoke or renew certificates. You may find more information about the tool here.

• certutil can also be used to install the PFX (p12) certificate file on the device by running the command below. This is the recommended way to install the certificate on Windows devices as explained in Distributing Device Certificates to Windows Devices.

  /certutil -csp "Microsoft Software Key Storage Provider" -importpfx My <path-to-p12-file> NoExport

• Alternatively, you can verify installed certificates on the device by typing certlm.msc from the Windows Start Menu. This will show all certificates installed on the Local Computer. The device certificate must be installed under the Local Computer's Personal/Certificates Folder and include a private key that the PFX file should have installed.

MacOS and iOS:

macOS v5.3 and below:

Verify that the MacOS client contains the configuration profile previously distributed via MDM or Apple Configurator. The profile can be found in Privacy & Security settings for macOS 13. To locate the profile in older macOS versions, see macOS user guide.

Any iOS version:

Verify that the iOS device contains the configuration profile previously distributed via MDM or Apple Configurator. The profile can be found under General > VPN & Device Management > configuration profile for iOS18. To locate the profile in older iOS versions, see iOS user guide.

Make sure that the VPN profile is correctly configured. The VPN payload must be configured as per the device type (macOS or iOS):

• Connection Type: Custom SSL

• Identifier:

  • For macOS:  com.catonetworks.mac.CatoClient 

  • For iOS:  CatoNetworks.CatoVPN 

• Server: vpn.catonetworks.net

• Account: add your account name. For example: CatoNetworksAccount.

• ProviderBundle Identifier:

  • For macOS: com.catonetworks.mac.CatoClient.CatoClientSysExtension

  • For iOS:  CatoNetworks.CatoVPN.CatoVPNNEExtenstion 

• Provider Designated Requirement: empty

• User Authentications: Certificate

• Provider Type: Packet Tunnel

• Credentials: Choose the certificate from the ‘Certificates’ payload

• Proxy Setup: None

For detailed information on VPN profile configuration, see Distributing Device Certificates to macOS and iOS Devices.

macOS v5.4 and above:

Starting macOS Client v5.4, the certificate can be installed directly on the device without MDM distribution. The certificate and private key can be found in Keychain Access. 

Device certificates may be distributed to macOS devices as explained in Distributing Device Certificates and via Microsoft Active Directory using a Windows Enterprise CA. See: How to Create and Deploy a Client Certificate for Mac Computers Independently from Configuration Manager 

The user certificate can be found under the login section in Keychain Access:

• Make sure that the certificate is set to 'Always Trust'.
• Make sure that the private key's access control setting allows Cato Client or 'Allow all applications to access this item'.