How to configure X.509 certificate authentication with CA Single Sign-on web agent on IIS web server

Document ID:  TEC2075439
Last Modified Date:  07/17/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details


  • CA Single Sign-On


  • CA Single Sign-On:Release:12.5
  • CA Single Sign-On:Release:12.51
  • CA Single Sign-On:Release:12.51 CA SiteMinder
  • CA Single Sign-On:Release:12.52
  • CA Single Sign-On:Release:12.52 CA SiteMinder
  • CA Single Sign-On:Release:12.52 SP1



How to configure X.509 cert authentication with CA Single-On Web Agent on IIS web server

Policy Server : R12.52 SP1 and above User Store : ANY LDAP Web Server : IIS 7.5


You have already obtained following three required certificates in .pfx format:

  • Trusted CA root certificate.(let's call it rootCA.pfx)
  • Server Certificate from a trusted CA.(let's call it server.pfx)
  • Client Certificate from a trusted CA.(let's call it client.p12/pfx)


Changes on the IIS Web Server

1. Open mmc console, add the certificate for the Local Computer


2. Import the CA root certificate to Trusted Root Certification Authorities.

3. Open Inetmgr and click Server Certificates under server node.

4. Import the server certificate by clicking on the Import link on the Actions pane.

5. Select the website which needs the X.509 certificate authentication.

On the Actions pane, click Bindings...

Click Add

Select Type = https, and choose the SSL certificate as the server certificate that was imported in the previous step.

6. Navigate to the cert folder under "siteminderagent" virtual directory and click SSL Settings

7. In the middle panel select Require SSL and Require for Client certificates.

    Click Apply on the Action pane.

8. Ensure that Anonymous Authentication is DISABLED for "cert" folder





Changes on the Policy Server

1. Create X.509 certificate authentication scheme as below :

2.Create Domain, Realm, Rule (get/post), Policy . Protect the realm with the X.509 authentication scheme.

3. Click Certificate Mapings under Directory and create mapping as below.

Note :

  • Ensure that the Issuer DN matches exactly as in the user certificate.
  • Choose the mapping attribute as per the Active Directory LDAP User DN lookup configuration

Changes on the client machine

1. Open MMC console and import the client certificate and CA root certificate. Import them to the Current Useraccount.

How to Test

1. From the client machine access the IIS resource protected with X.509 authenication scheme.

2. It will prompt you to select the client/user certificate. Choose the appropriate user certificate and click Ok.

Additional Information:

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255


Not what you were looking for?

Search Again >

Product Information

Support by Product >


Join a Community >