*Name |
A name is required. The default name is CertificateAuthAdapter. You can change this name. |
Enable Certificate Adapter |
Select the check box to enable certificate authentication. |
*Root and intermediate CA certificates |
Select the certificate files to upload. You can select multiple root CA and intermediate CA certificates that are encoded as DER or PEM. |
Uploaded CA Certificates |
The uploaded certificate files are listed in the Uploaded Ca Certificates section of the form. |
Identifier Search Order |
Select the search order to locate the user identifier within the certificate.
- upn. The UserPrincipalName value of the Subject Alternative Name
- email. The email address from the Subject Alternative Name.
- subject. The UID value from the Subject.
|
Validate UPN Format |
Enable this check box to validate the format of the UserPrincipalName field. |
Request Timeout |
Enter the time in seconds to wait for a response. A value of zero (0) means that the wait for the response is indefinite. |
Certificate Policies Accepted |
Create a list of object identifiers that are accepted in the certificate policies extensions. Enter the object ID numbers (OID) for the Certificate Issuing Policy. Click Add another value to add additional OIDs. |
Enable Cert Revocation |
Select the check box to enable certificate revocation checking. Revocation checking prevents users who have revoked user certificates from authenticating. |
Use CRL from Certificates |
Select the check box to use the certificate revocation list (CRL) published by the CA that issued the certificates to validate the status of a certificate, revoked or not revoked. |
CRL Location |
Enter the server file path or the local file path from which to retrieve the CRL. |
Enable OCSP Revocation |
Select the check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate. |
Use CRL in case of OCSP failure |
If you configure both CRL and OCSP, you can check this box to fall back to using CRL if OCSP checking is not available. |
Send OCSP Nonce |
Select this check box if you want the unique identifier of the OCSP request to be sent in the response. |
OCSP URL |
If you enabled OCSP revocation, enter the OCSP server address for revocation checking. |
OCSP URL Source |
Select the source to use for revocation checking.
- Configuration Only. Perform certificate revocation check using the OCSP URL provided in the text box to validate the entire certificate chain.
- Certificate Only (required). Perform certificate revocation check using the OCSP URL that exists in the AIA extension of each certificate in the chain. Every certificate in the chain must have an OCSP URL defined, other wise the certificate revocation check fails.
- Certificate Only (Optional). Only perform certificate revocation check using the OCSP URL that exists in the AIA extension of the certificate. Do not check revocation if the OCSP URL does not exist in the certificate AIA extension.
- Certificate with fallback to configuration. Perform certificate revocation check using the OCSP URL extracted from the AIA extension of each certificate in the chain, when the OCSP URL is available. If the OCSP URL is not in the AIA extension, check revocation using the OCSP URL configured in the OCSP URL text box. The OCSP URL text box must be configured with the OCSP server address.
|
OCSP Responder's Signing Certificate |
Enter the path to the OCSP certificate for the responder, /path/to/file.cer. |
Upload OCSP Signing Certificates |
The uploaded certificate files are listed in this section. |
Enable Consent Form before Authentication |
Select this check box to include a consent form page to appear before users log in to their Workspace ONE portal using certificate authentication. |
Consent Form Content |
Type the text that displays in the consent form in this text box. |