ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

X.509 client certificate authentication results 403 error

book

Article ID: 40147

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Problem: 

We created a Certificate Mapping for X.509 Certificate Authentication and copied the Issuer DN from our CA Certificate by viewing it with openssl.

The Issuer DN should be correct but we are getting “Access Forbidden” on our browsers.

Environment:  

CA Single Sign-On R12.5 and later

Cause: 

Openssl command line utility formats the DNs (Distinguished Names) by connecting their RDNs (Relative Distinguished Names) with comma+space for easier reading but CA Single Sign-On expects that the separator of RDNs is comma only.

Resolution:

1.    Remove the space character after each comma.

or

2.    Put either “-nameopt sep_comma_plus” or “-nameopt RFC2253” option in the command line of openssl.

e.g. 

openssl x509 –in cacert.pem –text –nameopt sep_comma_plus |grep Issuer

Additional Information:

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/certificate-mapping-for-x-509-client-certificate-authentication-schemes#CertificateMappingforX.509ClientCertificateAuthenticationSchemes-ConfigureaCertificateMapping



Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Resolution

Please Update This Required Field
Powered by Wolken Software