Tunnel SSL certificate requires both the Client and Server Authentication are enabled in the Enhanced key usage details of the Certificate. If Client and Server Authentication are enabled in the enhanced key usage details, the UEM Console requirements for Tunnel SSL certificate are met. If the requirements are not met, the certificate provider will be required to reissue a certificate which has both Client and Server Authentication enabled.
Device Impact if Client and Server Authentication are not enabled
If Client and Server Authentication are not enabled in the Enhanced key usage details of the certificate, per-app tunnel will not connect on the device. Additionally, whitelisted applications will not trigger per-app VPN.
The Tunnel logs will display the following if these settings are not enabled:
WARN: SSL certificate preverify FAILED err=26 (unsupported certificate purpose)
INFO: TCPSocket 7 bytes sent
DEBUG: *10416 SSL_do_handshake returns -1
ERROR: ProcessTCPRead PerformHandshake returns VPN_ERROR
INFO: Session 10416 Tunnel Handshake Failed
Additionally, Tunnel Wireshark capture will also indicate an unsupported certificate.
How to verify Authentication is enabled in the certificate
To verify Authentication is enabled in the certificate, run the following
openssl command on the server for the configured tunnel port and verify the SSL Client and SSL server settings display in the response for the Certificate Purposes:
openssl s_client -connect localhost:port | openssl x509 -noout -purpose
Alternatively, check the enhanced key usage details of the certificate to see if both Client and Server authentication is enabled.
Other Languages: 日本語