You enable and configure certificate authentication from the vRealize Automation administration console Directories Management feature.


  • Obtain the Root certificate and intermediate certificates from the CA that signed the certificates presented by your users.

  • (Optional) List of Object Identifier (OID)s of valid certificate policies for certificate authentication.

  • For revocation checking, the file location of the CRL, the URL of the OCSP server.

  • (Optional) OCSP Response Signing certificate file location.

  • Consent form content, if enabling a consent form to display before authentication.


  1. As a tenant administrator, navigate to Administration > Directories Management > Connectors
  2. On the Connectors page, select the Worker link for the connector that is being configured.
  3. Click Auth Adapters and then click CertificateAuthAdapter.

    You are redirected to the identity manager sign in page.

  4. In the CertificateAuthAdapter row, click Edit.
  5. Configure the Certificate Authentication Adapter page.

    An asterisk indicates a required field. All other fields are optional.




    A name is required. The default name is CertificateAuthAdapter. You can change this name.

    Enable certificate adapter

    Select the check box to enable certificate authentication.

    *Root and intermediate CA certificates

    Select the certificate files to upload. You can select multiple root CA and intermediate CA certificates that are encoded as DER or PEM.

    Uploaded CA certificates

    The uploaded certificate files are listed in the Uploaded Ca Certificates section of the form.

    You must restart the service before the new certificates are made available.

    Click Restart Web Service to restart the service and add the certificates to the trusted service.


    Restarting the service does not enable certificate authentication. After the service is restarted, continue configuring this page. Clicking Save at the end of the page enables certificate authentication on the service.

    Use email if no UPN in certificate

    If the user principal name (UPN) does not exist in the certificate, select this checkbox to use the emailAddress attribute as the Subject Alternative Name extension to validate user accounts.

    Certificate policies accepted

    Create a list of object identifiers that are accepted in the certificate policies extensions.

    Enter the object ID numbers (OID) for the Certificate Issuing Policy. Click Add another value to add additional OIDs.

    Enable cert revocation

    Select the check box to enable certificate revocation checking. This prevents users who have revoked user certificates from authenticating.

    Use CRL from certificates

    Select the check box to use the certificate revocation list (CRL) published by the CA that issued the certificates to validate a certificate's status, revoked or not revoked.

    CRL Location

    Enter the server file path or the local file path from which to retrieve the CRL.

    Enable OCSP Revocation

    Select the check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.

    Use CRL in case of OCSP failure

    If you configure both CRL and OCSP, you can check this box to fall back to using CRL if OCSP checking is not available.

    Send OCSP Nonce

    Select this check box if you want the unique identifier of the OCSP request to be sent in the response.


    If you enabled OCSP revocation, enter the OCSP server address for revocation checking.

    OCSP responder's signing certificate

    Enter the path to the OCSP certificate for the responder, /path/to/file.cer.

    Enable consent form before authentication

    Select this check box to include a consent form page to appear before users log in to their My Apps portal using certificate authentication.

    Consent form content

    Type the text that displays in the consent form in this text box.

  6. Click Save.

What to do next

  • Add the certificate authentication method to the default access policy.Navigate to Administration > Directories Management > Policies and click Edit Default Policy to edit the default policy rules and add Certificate and make it the first authentication method for the default policy. Certificate must be first authentication method listed in the policy rule, otherwise certificate authentication fails.

  • When Certificate Authentication is configured, and the service appliance is set up behind a load balancer, make sure that the Directories Management connector is configured with SSL pass-through at the load balancer and not configured to terminate SSL at the load balancer. This configuration ensures that the SSL handshake is between the connector and the client in order to pass the certificate to the connector.