Problem: 

We created a Certificate Mapping for X.509 Certificate Authentication and copied the Issuer DN from our CA Certificate by viewing it with openssl.

The Issuer DN should be correct but we are getting “Access Forbidden” on our browsers.

Environment:  

CA Single Sign-On R12.5 and later

Cause: 

Openssl command line utility formats the DNs (Distinguished Names) by connecting their RDNs (Relative Distinguished Names) with comma+space for easier reading but CA Single Sign-On expects that the separator of RDNs is comma only.

Resolution:

1.    Remove the space character after each comma.

or

2.    Put either “-nameopt sep_comma_plus” or “-nameopt RFC2253” option in the command line of openssl.

e.g. 

openssl x509 –in cacert.pem –text –nameopt sep_comma_plus |grep Issuer

Additional Information:

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/certificate-mapping-for-x-509-client-certificate-authentication-schemes#CertificateMappingforX.509ClientCertificateAuthenticationSchemes-ConfigureaCertificateMapping