How can I perform certificate authentication and what is the difference between certificate-anonymous mode and certificate-challenge mode

27

Certificate authentication verifies the identities of SSL VPN users using a CA certificate in either of the following modes:
-Certificate-anonymous mode: The SSL VPN gateway extracts user information carried in the CA certificate to verify the identities of SSL VPN users.
-Certificate-challenge mode: The SSL VPN gateway verifies the identities of SSL VPN users by extracting user information carried in the CA certificate and meanwhile implementing local or server authentication.

SSL VPN supports only TLS 1.0, TLS 1.1, TLS 1.2, and SSL 3.0. To use the Internet Explorer to log in to a virtual gateway, ensure that the SSL protocol set in the Internet Explorer is supported by SSL VPN. Otherwise, an exception may occur. For example, if SSL2.0 is set in the Internet Explorer and certificate-anonymous authentication is used for login to the virtual gateway, the virtual gateway will display "Your certificate is invalid. Provide a valid certificate".

Other related questions:
Differences between the CA certificate, local certificate, and self-signed certificate
1. Self-signed certificate A self-signed certificate is called a root device. It is signed by the same entity whose identity it certifies. When an applicant cannot apply for a local certificate from a CA, the applicant can use a self-signed certificate generated by the device to implement a simple certificate issuing function. The device does not implement lifecycle management, such as certificate updates and certificate revocation, for the self-signed certificates generated by other devices. 2. CA certificate .It is used to verify a CA's identity. If the PKI system does not have multiple CAs, the CA certificate is a self-signed certificate. If the PKI system has multiple CAs, a CA hierarchy is formed. At the top of the hierarchy is a root CA, which has a self-signed certificate. An applicant determines whether to trust a CA by verifying the digital signature of the CA. Any applicant can obtain a CA certificate (including the public key) to verify the issued local certificate. 3. Local certificate It is a certificate issued by the CA to an applicant. 4. Local certificate A device certificate is issued by a PKI entity with a certificate authority (CA) signature. The issuer name of the certificate is the name of the CA server. When an applicant cannot apply for a local certificate from a CA, the applicant can use a self-signed certificate generated by the device to implement a simple certificate issuing function.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top