Configuring a PKI Authentication Server
You can set up a certificate server so that a user authenticates using a client certificate on his or her device.
Digital certificate authentication can be used alone or in conjunction with another authentication method, such
as RADIUS. (If you set up chained authentication and a digital certificate is one of the methods you use, it must
be the first method; for more information, see Configuring Chained Authentication.)
Affinity servers should be used only for authentication servers that do not include full group search
capabilities, such as RADIUS, RSA, and PKI servers.
If both CRL and OCSP are enabled for a CA certificate, only OCSP is used.
Fallback from CRL to OCSP or OCSP to CRL is not supported.
To configure a PKI authentication server
In the AMC, navigate to System Configuration > Authentication Servers.
Under Authentication directory, click Public key infrastructure (PKI).
Digital certificate is automatically selected as the Credential type (this is the only possible value).
The Edit Authentication Server page displays.
In the Name field, type a name for the authentication server.
- Under Trusted CA certificates, optionally select the Trust intermediate CAs without verifying the entire
chain checkbox. This allows a set of trusted intermediate signing authority certificates to be deployed in
various sectors of the network (often by department or organizational unit). For more information, see About Intermediate Certificates.
- On the left is a list of All CA certificates used by the appliance. Specify one or more root certificates for
establishing a trust relationship with the client device by selecting the checkbox to the left of a certificate
and then clicking the >> button (a root certificate is one where the Subject and Issuer are the same). A
client’s certificate will be trusted if it matches a root certificate listed in the Trusted CA certificates list.
- Under Advanced, in the Username attribute field, type the attribute used for single sign-on (for example,
- To use an OCSP responder to determine client certificate status, select the Use OCSP to verify client
certificates checkbox. If selected, a user may use any access method (ExtraWeb or Connect Tunnel) to
authenticate to a realm that uses this PKI authentication method.
Select one of the following options for Use this OCSP responder:
- System default – A manually configured OCSP responder has priority. The configured OCSP
responder URL is shown here if configured. You can configure it by clicking the here link, which
takes you to the OCSP page available from SSL Settings.
- User certificate’s AIA extension – The user certificate is parsed to extract the URL of the OCSP
responder. The Authority Information Access (AIA) certificate extension contains URL locations
that provide the issuing CA’s certificate. The AIA extension can contain HTTP, FTP, LDAP, or FILE
- CA certificate’s AIA extension – The CA certificate is parsed to extract the URL of the OCSP
- Select the Allow certificate if responder is unavailable checkbox if the authentication should succeed in
cases where an error occurs, an unknown status is returned, or the OCSP responder is not available.
Select the Trust signing certificates in response checkbox to trust certificates in the OCSP response. This
is enabled by default.
You must import the OCSP response signing certificate for the CA certificate being used and enable OCSP
response verification when importing it. The OCSP response signing certificate can be copied from the
OCSP responder or server to a local management machine and then imported from the SSL Settings page
while you are logged in to AMC.
Select the Send nonce in request checkbox and Require nonce in response checkbox to guard against malicious replay attacks, in which a successful response is replayed to the client after the subject certificate is revoked.
Was This Article Helpful?
Help us to improve our support portal