1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Authenticate Users with the Cloud Identity Engine
    5. Configure a Client Certificate

    Configure a Client Certificate

    To use a client certificate to authenticate users, configure a certificate authority (CA) and client certificate.
    1. Configure a Certificate Authority (CA) chain to authenticate users.
      Upload the CA chain, including the root certificate and any intermediate certificates, that issues the client certificate. The Cloud Identity Engine supports multiple intermediate certificates but does not support sibling intermediate certificates in a single CA chain.
      1. In the Cloud Identity Engine app, select
        Authentication
        CA Chains
        Add CA Chain
        .
      2. Enter the necessary information for the CA chain profile.
        • CA Name
          —Enter a unique name to identify the CA chain in the Cloud Identity Engine instance.
        • CA Chain
          Click to Upload
           your CA certificate then
          Open
           the certificate to select it.
          The file must end in the
          .crt
           or
          .pem
           file extension.
        • CRL Endpoint
          —(Optional but recommended) Specify the URL for the certificate revocation list (CRL) list that you want the Cloud Identity Engine to use to validate the client certificate.
        If you configure CA chain for an authentication profile, you can
        Fetch CRL
         to refresh the list of revoked certificates to ensure the Cloud Identity Engine uses the latest version of the list to check the certificate’s validity.
      3. Submit
         the changes to complete the configuration.
    2. In the Cloud Identity Engine app, select
      Authentication
      Authentication Types
      Add New
      .
    3. Select
      Client Certificate
      Set Up
      .
    4. Enter a unique
      Authentication Type Name
       for the client certificate.
    5. Select the
      Username Field
       that you want the Cloud Identity Engine to use to authenticate users.
      Select the
      Username Field
       based on the attribute type of the client certificate that you want to use to authenticate the user; for example, if the username is defined in the client certificate using
      Subject
      , select
      Subject
      .
    6. Configure the
      Username Attribute
       based on the previous step and the attribute that your client certificate uses to authenticate users.
      • If the Username Field is
        Subject
        , the Username Attribute is
        CN
        .
      • If the Username Field is
        Subject Alt Name
        , select
        Email
         or
        User Principal Name
         based on the attribute that your client certificate specifies.
    7. Add
       one or more
      CA Chains
       to authenticate users.
    8. Click
      Select CA Chain
      , select the CA chain you previously configured, and
      Add
       it to the configuration.
      The Cloud Identity Engine supports grouping multiple CA chains in a certificate type to authenticate client certificates issued by multiple CA chains.
    9. Submit
       your changes to configure the authentication type.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo