To enable logging in using certificate authentication, root certificates and intermediate certificates must be uploaded to the Workspace ONE Access service.

The intermediate (user) certificates are copied to the local certificate store on the Android device. The certificates in the local certificate store are available to all the browsers running on this Android device, with some exceptions, and therefore, are available to a Workspace ONE Access instance in the browser.

If a user cannot authenticate, the root CA and intermediate CA might not be set up correctly, or the service has not been restarted after the root and intermediate CAs were uploaded to the server. In these cases, the browser cannot show the installed certificates, the user cannot select the correct certificate, and certificate authentication fails.