To use a client certificate to authenticate users,
configure a certificate authority (CA) and client certificate.
Configure a Certificate Authority (CA) chain to authenticate
users.
Upload the CA chain, including the root certificate and
any intermediate certificates, that issues the client certificate.
The Cloud Identity Engine supports multiple intermediate certificates
but does not support sibling intermediate certificates in a single
CA chain.
In the Cloud Identity Engine app, select
Authentication
CA Chains
Add CA Chain
.
Enter the necessary information for the CA chain profile.
CA Name
—Enter a unique name to identify the
CA chain in the Cloud Identity Engine instance.
CA Chain
—
Click to Upload
your CA
certificate then
Open
the certificate to
select it.
The file must end in the
.crt
or
.pem
file
extension.
CRL Endpoint
—(Optional but recommended) Specify the URL
for the certificate revocation list (CRL) list that you want the Cloud
Identity Engine to use to validate the client certificate.
If
you configure CA chain for an authentication profile, you can
Fetch
CRL
to refresh the list of revoked certificates to ensure
the Cloud Identity Engine uses the latest version of the list to
check the certificate’s validity.
Submit
the changes to complete the
configuration.
In the Cloud Identity Engine app, select
Authentication
Authentication Types
Add New
.
Select
Client Certificate
Set Up
.
Enter a unique
Authentication Type Name
for
the client certificate.
Select the
Username Field
that
you want the Cloud Identity Engine to use to authenticate users.
Select the
Username Field
based on
the attribute type of the client certificate that you want to use
to authenticate the user; for example, if the username is defined
in the client certificate using
Subject
,
select
Subject
.
Configure the
Username Attribute
based
on the previous step and the attribute that your client certificate
uses to authenticate users.
If the Username Field is
Subject
, the
Username Attribute is
CN
.
If the Username Field is
Subject Alt Name
,
select
Email
or
User Principal
Name
based on the attribute that your client certificate
specifies.
Add
one or more
CA Chains
to
authenticate users.
Click
Select CA Chain
, select
the CA chain you previously configured, and
Add
it
to the configuration.
The Cloud Identity Engine supports grouping multiple CA
chains in a certificate type to authenticate client certificates
issued by multiple CA chains.
Submit
your changes to configure
the authentication type.