Certificate picker for SSO on Windows browsers

One of the most underrated feature when it comes to SSO is to be able to automatically select the right certificate based on the domain, while there is mechanism in the SSL protocol to indicate which CA is requested, a device or a user may have multiple certificates depending on the scenario. This may lead to wrong certificate being chosen and other inconvenience for the end user but as well for security.

Luckily browsers offer the possibility to configure so they choose the right certificate for the right domain, and we can deploy this configuration with Workspace ONE UEM which ever browser it is. The deployment in itself will depend of the browsers but 99% of the time an ADMX is available. This is the method we are going to use here.

ADMX Install

For the ADMX be available on the machine we need to use the ADMX Install CSP, which allow to create a bridge between CSP, ADMX configuration and registry keys.

There is multiple articles already describing the CSP and how to install the ADMX, in this article we assume that the ADMX is already installed on the device using ADMX install and ready to be used.

Chromium Based Browsers

Chromium based browsers are using AutoSelectcertificateForUrls setting, the location of the settings differ depending of the browser. The format however is the same across browsers and platforms.

The format is base on JSON so it need to be escaped.

JSON Example

{
  "pattern": "https://sso.digitalworkspace.one",
  "filter": {
    "ISSUER": {
      "CN": "certificate issuer name",
      "L": "certificate issuer location",
      "O": "certificate issuer org",
      "OU": "certificate issuer org unit"
    },
    "SUBJECT": {
      "CN": "certificate subject name",
      "L": "certificate subject location",
      "O": "certificate subject org",
      "OU": "certificate subject org unit"
    }
  }
}

Edge

AutoSelectcertificateForUrls documentation: Microsoft Edge Browser Policy Documentation | Microsoft Docs

$URL_PATTERN format: Filter format for Microsoft Edge URL policies | Microsoft Docs

Install Settings

<Replace>
  <CmdID>440c3845-6ed3-44f6-8e09-c2a7fe9e3ef9</CmdID>
  <Item>
    <Meta>
      <Format xmlns="syncml:metinf">chr</Format>
      <Type>text/plain</Type>
    </Meta>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/edge~Policy~microsoft_edge~ContentSettings/AutoSelectCertificateForUrls</LocURI>
    </Target>
    <Data><![CDATA[<enabled/><data id="AutoSelectCertificateForUrlsDesc" value="1{"pattern":"https://www.1.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}2{"pattern":"https://www.2.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}3{"pattern":"https://www.3.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}" />]]></Data>
  </Item>
</Replace>

Remove Settings

<Delete>
  <CmdID>1cb70b36-54fa-4601-bdd1-181ae1715843</CmdID>
  <Item>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/edge~Policy~microsoft_edge~ContentSettings/AutoSelectCertificateForUrls</LocURI>
    </Target>
  </Item>
</Delete>
SOFTWARE\Policies\Microsoft\Edge\AutoSelectCertificateForUrls\1 = "{\"pattern\":\"https://digitalworkspace.one\",\"filter\":{\"ISSUER\":{\"CN\":\"certificate issuer name\", \"L\": \"certificate issuer location\", \"O\": \"certificate issuer org\", \"OU\": \"certificate issuer org unit\"}, \"SUBJECT\":{\"CN\":\"certificate subject name\", \"L\": \"certificate subject location\", \"O\": \"certificate subject org\", \"OU\": \"certificate subject org unit\"}}}"

Chrome

AutoSelectcertificateForUrls documentation: Chrome Enterprise policy list and management | Documentation

$URL_PATTERN format: Enterprise policy URL pattern format – Chrome Enterprise

Install Settings

<Replace>
  <CmdID>440c3845-6ed3-44f6-8e09-c2a7fe9e3ef9</CmdID>
  <Item>
    <Meta>
      <Format xmlns="syncml:metinf">chr</Format>
      <Type>text/plain</Type>
    </Meta>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/chrome~Policy~googlechrome~ContentSettings/AutoSelectCertificateForUrls</LocURI>
    </Target>
    <Data><![CDATA[<enabled/><data id="AutoSelectCertificateForUrlsDesc" value="1{"pattern":"https://www.1.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}2{"pattern":"https://www.2.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}3{"pattern":"https://www.3.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}" />]]></Data>
  </Item>
</Replace>

Remove Settings

<Delete>
  <CmdID>1cb70b36-54fa-4601-bdd1-181ae1715843</CmdID>
  <Item>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/chrome~Policy~googlechrome~ContentSettings/AutoSelectCertificateForUrls</LocURI>
    </Target>
  </Item>
</Delete>

Firefox

Firefox is known for having it’s own certificate store, however since Firefox 75, it is capable of using OS certs if security.osclientcerts.autoload is set at true. It is not possible however to specify which certificate can be used for which website. Firefox have also ADMX available.

JSON Example

{
  "security.osclientcerts.autoload": {
    "Value": true,
    "Status": "locked"
  }
}

Install Settings

<Replace>
  <CmdID>bc26a780-5fa9-4d5f-9128-fe3924d1ffcd</CmdID>
  <Item>
    <Meta>
      <Format xmlns="syncml:metinf">chr</Format>
      <Type>text/plain</Type>
    </Meta>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/firefox~Policy~firefox/Preferences</LocURI>
    </Target>
    <Data><![CDATA[<enabled/><data id="JSON" value="{  "security.osclientcerts.autoload": {    "Value": true,    "Status": "locked"  }}" />]]></Data>
  </Item>
</Replace>

Remove Settings

<Delete>
  <CmdID>35c294f8-a6d7-418e-b732-8607dc332da8</CmdID>
  <Item>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/firefox~Policy~firefox/Preferences</LocURI>
    </Target>
  </Item>
</Delete>

Other browsers

If you are using other browsers let me know in the comment and will try to add them to the article.

Written by
Website | + posts

vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP