You enable and configure certificate authentication from the Unified Access Gateway administration console.

Prerequisites

  • Obtain the root certificate and intermediate certificates from the CA that signed the certificates presented by your users.

    See Obtain the Certificate Authority Certificates

  • Verify that the Unified Access Gateway SAML metadata is added on the service provider and the service provider SAML metadata is copied the Unified Access Gateway appliance.
  • (Optional) List of Object Identifier (OID) of valid certificate policies for certificate authentication.
  • For revocation checking, the file location of the CRL and the URL of the OCSP server.
  • (Optional) OCSP Response Signing certificate file location.
  • Consent form content, if a consent form displays before authentication.

Procedure

  1. In the Unified Access Gateway admin UI, navigate to the Configure Manually section and click Select.
  2. In the General Settings > Authentication Settings, click Show.
  3. Click the X.509 Certificate gearbox.
  4. Configure the X.509 Certificate form.
    An asterisk indicates a required text box. All other text boxes are optional.
    Option Description
    Enable X.509 Certificate Turn on this toggle to enable certificate authentication.
    *Root and Intermediate CA Certificates To upload the certificate files, click Select.
    Tip: You can upload a single file containing multiple root CA and intermediate CA certificates that are encoded as DER or PEM.

    Subsequently, to add another file containing certificates, click Select.

    Note: With version 2012 and later, Unified Access Gateway supports the configuration of multiple CA certificates with the same Subject DN. This multiple certificates support is useful when an updated CA issuer certificate is used with the same subject DN but a different key pair. This feature allows to use the old and the new CA certificates together to support client certificates issued by either. Unified Access Gateway uses the authority key identifier to identify the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover).
    Enable Cert Revocation Turn on this toggle to enable certificate revocation checking. Revocation checking prevents users who have revoked user certificates from authenticating.
    Use CRL from Certificates Select the check box to use the certificate revocation list (CRL) published by the CA that issued the certificates to validate the status of a certificate, revoked or not revoked.
    CRL Location Enter the server file path or the local file path from which to retrieve the CRL
    Enable OCSP Revocation Select the check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.
    Use CRL in case of OCSP Failure If you configure both CRL and OCSP, you can select this box to fall back to using CRL if OCSP checking is not available.
    Send OCSP Nonce Select this check box if you want the unique identifier of the OCSP request to be sent in the response.
    OCSP URL If you enabled OCSP revocation, enter the OCSP server address for revocation checking.
    Use OCSP URL from certificate Check this box to use the OCSP URL.
    Enable Consent Form before Authentication Select this check box to include a consent form page to appear before users log in to their Workspace ONE portal using certificate authentication.
  5. Click Save.

What to do next

When X.509 Certificate authentication is configured and Unified Access Gateway appliance is set up behind a load balancer, make sure that the load-balancer is configured with SSL pass-through at the load balancer and not configured to terminate SSL. This configuration ensures that the SSL handshake is between the Unified Access Gateway and the client in order to pass the certificate to Unified Access Gateway.