Configure a Client Certificate
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Attributes
- Collect Custom Attributes with the Cloud Identity Engine
- View Directory Data
- Cloud Identity Engine User Context
- Create a Cloud Dynamic User Group
- Configure Third-Party Device-ID
- Configure an IP Tag Cloud Connection
- Configure Dynamic Privilege Access in the Cloud Identity Engine
-
-
- Configure Azure as an IdP in the Cloud Identity Engine
- Configure Okta as an IdP in the Cloud Identity Engine
- Configure PingOne as an IdP in the Cloud Identity Engine
- Configure PingFederate as an IdP in the Cloud Identity Engine
- Configure Google as an IdP in the Cloud Identity Engine
- Configure a SAML 2.0-Compliant IdP in the Cloud Identity Engine
- Configure a Client Certificate
- Set Up an Authentication Profile
- Configure Cloud Identity Engine Authentication on the Firewall or Panorama
- Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama
- Configure Dynamic Privilege Access in the Cloud Identity Engine
-
- Get Help
Configure a Client Certificate
To use a client certificate to authenticate users,
configure a certificate authority (CA) and client certificate.
- Configure a Certificate Authority (CA) chain to authenticate users.Upload the CA chain, including the root certificate and any intermediate certificates, that issues the client certificate. The Cloud Identity Engine supports multiple intermediate certificates but does not support sibling intermediate certificates in a single CA chain.
- In the Cloud Identity Engine app, select.AuthenticationCA ChainsAdd CA Chain
- Enter the necessary information for the CA chain profile.
- CA Name—Enter a unique name to identify the CA chain in the Cloud Identity Engine tenant.
- Upload Certificate—Drag and drop file(s) hereorBrowse filesto your CA certificate thenOpenthe certificate to select it.The file must end in the.crtor.pemfile extension.
- Certificate Revocation List Endpoint (Optional)—(Optional but recommended) Specify the URL for the certificate revocation list (CRL) list that you want the Cloud Identity Engine to use to validate the client certificate.
- Submitthe changes to complete the configuration.
- In the Cloud Identity Engine app, select.AuthenticationAuthentication TypesAdd New Authentication Type
- Select.Client CertificateSet Up
- Enter a uniqueAuthentication Type Namefor the client certificate.
- Select theUsername Fieldthat you want the Cloud Identity Engine to use to authenticate users.Select theUsername Fieldbased on the attribute type of the client certificate that you want to use to authenticate the user; for example, if the username is defined in the client certificate usingSubject, selectSubject.
- Configure theUsername Attributebased on the previous step and the attribute that your client certificate uses to authenticate users.
- If the Username Field isSubject, the Username Attribute isCN.
- If the Username Field isSubject Alt Name, selectEmailorUser Principal Namebased on the attribute that your client certificate specifies.
- ClickAdd CA Chainto add one or more CA chains to authenticate users.
- Enter a search term in theSearch CA Chainfield or select a CA chain you previously configured andAddit to the configuration.The Cloud Identity Engine supports grouping multiple CA chains in a certificate type to authenticate client certificates issued by multiple CA chains.
- Submityour changes to configure the authentication type.