search cancel

X.509 client certificate authentication results 403 error

book

Article ID: 40147

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

Certificate Mapping for X.509 Certificate Authentication has been created and the Issuer DN has been copied from the CA Certificate by viewing it with OpenSSL.

The Issuer DN should be correct but the browser gets "Access Forbidden".

 

Cause

 

OpenSSL command line utility formats the DNS (Distinguished Names) by connecting their RDNs (Relative Distinguished Names) with comma+space for more effortless reading but CA Single Sign-On expects that the separator of RDNs is comma only.

 

Resolution

 

  1. Remove the space character after each comma.

    or

  2. Put either the "-nameopt sep_comma_plus" or "-nameopt RFC2253" option in the command line of OpenSSL.
       

         e.g.:

       # openssl x509 –in cacert.pem –text –nameopt sep_comma_plus | grep Issuer

 

Additional Information

 

(1)

    Certificate Mapping for X.509 Client Certificate Authentication Schemes