You can configure x509 certificate authentication to allow clients to authenticate with certificates on their desktop and mobile devices or to use a smart card adapter for authentication. Certificate-based authentication is based on what the user has (the private key or smart card), and what the person knows (the password to the private key or the smart-card PIN.) An X.509 certificate uses the public key infrastructure (PKI) standard to verify that a public key contained within the certificate belongs to the user. With smart card authentication, users connect the smart card with the computer and enter a PIN.

The smart card certificates are copied to the local certificate store on the user's computer. The certificates in the local certificate store are available to all the browsers running on this user's computer, with some exceptions, and therefore, are available to a Workspace ONE Access instance in the browser.

Note: (On-Premises Only) When Certificate Authentication is configured and the service appliance is set up behind a load balancer, make sure that the connector Windows server is configured with SSL pass-through at the load balancer and not configured to terminate SSL at the load balancer. This configuration ensures that the SSL handshake is between the server and the client to pass the certificate to the connector. You can configure additional connectors behind another load balancer configured with SSL pass-through and enable and configure certificate-based authentication on those connectors.