+

Search Tips   |   Advanced Search

SSL configuration

The User Certificate Authentication feature depends on the use of the Secure Sockets Layer (SSL) for authentication purposes. We can host the application only on HTTPS, unless a reverse proxy is being used.

For more information about how to configure SSL, see WebSphere Application Server and Liberty profile requirements.

The User Certificate Authentication feature requires integration with a public key infrastructure (PKI). For the embedded PKI option, provide a certificate authority (CA) used to generate the client X.509 certificates.


Certificates and CAs

Client certificates that are issued to the user by the User Certificate Authentication feature can be signed by a custom CA or a well-trusted CA through your PKI. Server-side certificates can be signed by either type of CA.

If we encounter errors with certificates not signed by well-trusted CAs, see Configure SSL using untrusted certificates.

Restriction: Self-signed certificates are not supported. For more information about how to use, and create an intermediate CA to sign both the server and client certificates, see the tutorials on the Get Started page.


Certificate chains, keystore, and truststore

You must set the server certificate as the MobileFirst Server keystore. Also, set the client's certificate-signing CA as part of the truststore so the server can trust the client certificates. For more information about setting up the server with these certificates, see WebSphere Application Server and Liberty profile requirements.

If we use intermediate custom CAs, ensure that you concatenate the server certificate with the certificate chain. When creating the server certificate, use the following order:

The following example works in Mac OS X and Linux, and concatenates the server certificate with one intermediate CA and the trust anchor (root CA):


Parent topic: User certificate authentication on the server