How to configure X.509 certificate authentication with CA Single Sign-on web agent on IIS web server

Document ID : KB000009643
Last Modified Date : 14/02/2018
Show Technical Document Details

How to configure X.509 cert authentication with CA Single-On Web Agent on IIS web server

Policy Server : R12.52 SP1 and aboveUser Store : ANY LDAPWeb Server : IIS 7.5


You have already obtained following three required certificates in .pfx format:

  • Trusted CA root certificate.(let's call it rootCA.pfx)
  • Server Certificate from a trusted CA.(let's call it server.pfx)
  • Client Certificate from a trusted CA.(let's call it client.p12/pfx)


Changes on the IIS Web Server

1. Open mmc console, add the certificate for the Local Computer


2. Import the CA root certificate to Trusted Root Certification Authorities.

3. Open Inetmgr and click Server Certificates under server node.

4. Import the server certificate by clicking on the Import link on the Actions pane.

5. Select the website which needs the X.509 certificate authentication.

On the Actions pane, click Bindings...

Click Add

Select Type = https, and choose the SSL certificate as the server certificate that was imported in the previous step.

6. Navigate to the cert folder under "siteminderagent" virtual directory and click SSL Settings

7. In the middle panel select Require SSL and Require for Client certificates.

    Click Apply on the Action pane.

8. Ensure that Anonymous Authentication is DISABLED for "cert" folder





Changes on the Policy Server

1. Create X.509 certificate authentication scheme as below :

2.Create Domain, Realm, Rule (get/post), Policy . Protect the realm with the X.509 authentication scheme.

3. Click Certificate Mapings under Directory and create mapping as below.

Note :

  • Ensure that the Issuer DN matches exactly as in the user certificate.
  • Choose the mapping attribute as per the Active Directory LDAP User DN lookup configuration

Changes on the client machine

1. Open MMC console and import the client certificate and CA root certificate. Import them to the Current Useraccount.

How to Test

1. From the client machine access the IIS resource protected with X.509 authenication scheme.

2. It will prompt you to select the client/user certificate. Choose the appropriate user certificate and click Ok.

Additional Information: