Set Up a Client Certificate

Table of Contents

Set Up a Client Certificate

Where Can I Use This?	What Do I Need?
NGFW Prisma Access	The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information.

Client certificate authentication leverages your organization’s Public Key Infrastructure (PKI) to verify user identities using digital certificates installed on their devices. Instead of, or in addition to, standard login credentials, the Cloud Identity Engine validates the certificate presented by the client against a configured Certificate Authority (CA) chain.

To implement this, you upload your root and intermediate CA certificates to the Cloud Identity Engine to establish a chain of trust. You then define how the engine identifies the user by specifying which field in the certificate—such as the Subject Common Name (CN) or a Subject Alternative Name (SAN) like an email or User Principal Name—maps to the username. This method provides a seamless, high-security authentication option that can be deployed as a primary verification method or combined with SAML 2.0 identity providers for robust multi-authentication policies.

To use a client certificate to authenticate users, configure a certificate authority (CA) and client certificate.

Configure a Certificate Authority (CA) chain to authenticate users.
Upload the CA chain, including the root certificate and any intermediate certificates, that issues the client certificate. The Cloud Identity Engine supports multiple intermediate certificates but does not support sibling intermediate certificates in a single CA chain.
1. In the Cloud Identity Engine app, select AuthenticationCA ChainsAdd CA Chain.
2. Enter the necessary information for the CA chain profile.
  CA Name—Enter a unique name to identify the CA chain in the Cloud Identity Engine tenant.
  Upload Certificate—Drag and drop file(s) here or Browse files to your CA certificate then Open the certificate to select it.
  
  The file must end in the .crt or .pem file extension.
  
  Certificate Revocation List Endpoint (Optional)—(Optional but recommended) Specify the URL for the certificate revocation list (CRL) list that you want the Cloud Identity Engine to use to validate the client certificate.
3. Submit the changes to complete the configuration.
In the Cloud Identity Engine app, select AuthenticationAuthentication TypesAdd New Authentication Type.
Select Client CertificateSet Up.
Enter a unique Authentication Type Name for the client certificate.
Select the Username Field that you want the Cloud Identity Engine to use to authenticate users.

Select the Username Field based on the attribute type of the client certificate that you want to use to authenticate the user; for example, if the username is defined in the client certificate using Subject, select Subject.
Configure the Username Attribute based on the previous step and the attribute that your client certificate uses to authenticate users.
- If the Username Field is Subject, the Username Attribute is CN.
- If the Username Field is Subject Alt Name, select Email or User Principal Name based on the attribute that your client certificate specifies.
Click Add CA Chain to add one or more CA chains to authenticate users.
Enter a search term in the Search CA Chain field or select a CA chain you previously configured and Add it to the configuration.
The Cloud Identity Engine supports grouping multiple CA chains in a certificate type to authenticate client certificates issued by multiple CA chains.
Submit your changes to configure the authentication type.