You enable and configure certificate authentication from the Unified Access Gateway administration console.


  • Obtain the root certificate and intermediate certificates from the CA that signed the certificates presented by your users. See Obtain the Certificate Authority Certificates

  • Verify that the Unified Access Gateway SAML metadata is added on the service provider and the service provider SAML metadata is copied the Unified Access Gateway appliance.

  • (Optional) List of Object Identifier (OID) of valid certificate policies for certificate authentication.

  • For revocation checking, the URL of the OCSP server.

  • (Optional) OCSP Response Signing certificate file location.

  • Consent form content, if a consent form displays before authentication.


  1. In the admin UI Configure Manually section, click Select.
  2. In the General Settings Authentication Settings section, click Show.
  3. Click the gearbox in the X.509 Certificate line.
  4. Configure the X.509 Certificate form.

    An asterisk indicates a required text box. All other text boxes are optional.



    Enable X.509 Certificate

    Change NO to YES to enable certificate authentication.

    *Root and Intermediate CA Certificates

    Click Select to select the certificate files to upload. You can select multiple root CA and intermediate CA certificates that are encoded as DER or PEM.

    Enable Cert Revocation

    Change NO to YES to enable certificate revocation checking. Revocation checking prevents users who have revoked user certificates from authenticating.

    Enable OCSP Revocation

    Select the check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.

    Send OCSP Nonce

    Select this check box if you want the unique identifier of the OCSP request to be sent in the response.


    If you enabled OCSP revocation, enter the OCSP server address for revocation checking.

    Use OCSP URL from certificate

    Check this box to use the OCSP URL.

    Enable Consent Form before Authentication

    Select this check box to include a consent form page to appear before users log in to their Workspace ONE portal using certificate authentication.

  5. Click Save.

What to do next

When X.509 Certificate authentication is configured and Unified Access Gateway appliance is set up behind a load balancer, make sure that Unified Access Gateway is configured with SSL pass-through at the load balancer and not configured to terminate SSL at the load balancer. This configuration ensures that the SSL handshake is between the Unified Access Gateway and the client in order to pass the certificate to Unified Access Gateway.