search cancel

X.509 client certificate authentication results 403 error


Article ID: 40147


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER



Certificate Mapping for X.509 Certificate Authentication has been created and the Issuer DN has been copied from the CA Certificate by viewing it with OpenSSL.

The Issuer DN should be correct but the browser gets "Access Forbidden".




OpenSSL command line utility formats the DNS (Distinguished Names) by connecting their RDNs (Relative Distinguished Names) with comma+space for more effortless reading but CA Single Sign-On expects that the separator of RDNs is comma only.




  1. Remove the space character after each comma.


  2. Put either the "-nameopt sep_comma_plus" or "-nameopt RFC2253" option in the command line of OpenSSL.


       # openssl x509 –in cacert.pem –text –nameopt sep_comma_plus | grep Issuer


Additional Information



    Certificate Mapping for X.509 Client Certificate Authentication Schemes