X.509 client certificate authentication results 403 error

Article Id: 40147

Status: Published

Updated On: 03-04-2018 18:15

Legacy Id: TEC1129895

Products:

CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On

Issue/Introduction:

Problem:

We created a Certificate Mapping for X.509 Certificate Authentication and copied the Issuer DN from our CA Certificate by viewing it with openssl.

The Issuer DN should be correct but we are getting “Access Forbidden” on our browsers.

Environment:

CA Single Sign-On R12.5 and later

Cause:

Openssl command line utility formats the DNs (Distinguished Names) by connecting their RDNs (Relative Distinguished Names) with comma+space for easier reading but CA Single Sign-On expects that the separator of RDNs is comma only.

Resolution:

1. Remove the space character after each comma.

or

2. Put either “-nameopt sep_comma_plus” or “-nameopt RFC2253” option in the command line of openssl.

e.g.

openssl x509 –in cacert.pem –text –nameopt sep_comma_plus |grep Issuer

Additional Information:

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/certificate-mapping-for-x-509-client-certificate-authentication-schemes#CertificateMappingforX.509ClientCertificateAuthenticationSchemes-ConfigureaCertificateMapping

Environment:

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Resolution:

Please Update This Required Field