Tech Tip – X.509 Certificate Authentication with IIS Agent


How to configure X.509 certificate authentication with CA Single-On Web Agent on IIS web server

  • Policy Server : R12.52 SP1 and above
  • User Store : ANY LDAP
  • Web Server : IIS 7.5

You have already obtained following three required certificates in .pfx format:

  • Trusted CA root certificate.(let’s call it rootCA.pfx)
  • Server Certificate from a trusted CA.(let’s call it server.pfx)
  • Client Certificate from a trusted CA.(let’s call it client.p12/pfx)

(Refer : Tech Tip : How to create self signed RootCA/Server/User Certificates using OpenSSL )



Changes on the IIS Web Server

1. Open mmc console, add the certificate for the Local Computer


2. Import the CA root certificate to Trusted Root Certification Authorities.


3. Open Inetmgr and click Server Certificates under server node.


4. Import the server certificate by clicking on the Import link on the Actions pane.


5. Select the website which needs the X.509 certificate authentication.

On the Actions pane, click Bindings…

Click Add

Select Type = https, and choose the SSL certificate as the server certificate that was imported in the previous step.

6. Navigate to the cert folder under “siteminderagent” virtual directory and click SSL Settings

7. In the middle panel select Require SSL and Require for Client certificates.

Click Apply on the Action pane.

8. Ensure that Anonymous Authentication is DISABLED for “cert” folder

Changes on the Policy Server


1. Create X.509 certificate authentication scheme as below :

2.Create Domain, Realm, Rule (get/post), Policy . Protect the realm with the X.509 authentication scheme.

3. Click Certificate Mapings under Directory and create mapping as below.

Note :

  • Ensure that the Issuer DN matches exactly as in the user certificate.
  • Choose the mapping attribute as per the Active Directory LDAP User DN lookup configuration



Changes on the client machine

1. Open MMC console and import the client certificate and CA root certificate. Import them to the Current Useraccount.


1. From the client machine access the IIS resource protected with X.509 authenication scheme.

2. It will prompt you to select the client/user certificate. Choose the appropriate user certificate and click Ok.


Related blogs:


Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply

Your email address will not be published.