Configure a Client Certificate

To use a client certificate to authenticate users, configure a certificate authority (CA) and client certificate.
  1. Configure a Certificate Authority (CA) chain to authenticate users.
    Upload the CA chain, including the root certificate and any intermediate certificates, that issues the client certificate. The Cloud Identity Engine supports multiple intermediate certificates but does not support sibling intermediate certificates in a single CA chain.
    1. In the Cloud Identity Engine app, select
      Authentication
      CA Chains
      Add CA Chain
      .
    2. Enter the necessary information for the CA chain profile.
      • CA Name
        —Enter a unique name to identify the CA chain in the Cloud Identity Engine instance.
      • CA Chain
        Click to Upload
        your CA certificate then
        Open
        the certificate to select it.
        The file must end in the
        .crt
        or
        .pem
        file extension.
      • CRL Endpoint
        —(Optional but recommended) Specify the URL for the certificate revocation list (CRL) list that you want the Cloud Identity Engine to use to validate the client certificate.
      If you configure CA chain for an authentication profile, you can
      Fetch CRL
      to refresh the list of revoked certificates to ensure the Cloud Identity Engine uses the latest version of the list to check the certificate’s validity.
    3. Submit
      the changes to complete the configuration.
  2. In the Cloud Identity Engine app, select
    Authentication
    Authentication Types
    Add New
    .
  3. Select
    Client Certificate
    Set Up
    .
  4. Enter a unique
    Authentication Type Name
    for the client certificate.
  5. Select the
    Username Field
    that you want the Cloud Identity Engine to use to authenticate users.
    Select the
    Username Field
    based on the attribute type of the client certificate that you want to use to authenticate the user; for example, if the username is defined in the client certificate using
    Subject
    , select
    Subject
    .
  6. Configure the
    Username Attribute
    based on the previous step and the attribute that your client certificate uses to authenticate users.
    • If the Username Field is
      Subject
      , the Username Attribute is
      CN
      .
    • If the Username Field is
      Subject Alt Name
      , select
      Email
      or
      User Principal Name
      based on the attribute that your client certificate specifies.
  7. Add
    one or more
    CA Chains
    to authenticate users.
  8. Click
    Select CA Chain
    , select the CA chain you previously configured, and
    Add
    it to the configuration.
    The Cloud Identity Engine supports grouping multiple CA chains in a certificate type to authenticate client certificates issued by multiple CA chains.
  9. Submit
    your changes to configure the authentication type.

Recommended For You