Skip to content

X.509 Configuration

Use this configuration to enable users to authenticate with X.509 client certificates, and then automatically connect to a host session. Optionally, you can specify settings to fall back to LDAP authentication if certificate-based authentication fails.

Prerequisites and Setup Requirements

See X.509 Certificates - Setup Requirements to be sure the requirements for this authentication method are met.

Authentication Settings

LDAP options for authentication

  • Fallback to LDAP authentication

    Use this option to prompt the user for LDAP credentials when certificate-based authentication fails.

  • Validate LDAP User Account

    Account validation is always enabled and causes authentication to fail when an LDAP search fails to resolve a Distinguished Name (DN) for the name value obtained from the user’s certificate. If you are using Microsoft Active Directory as your LDAP server type, additional validation is performed. User authentication will fail when the user’s Active Directory account is either disabled or expired.

Certificate Revocation Checking

Changes to the certificate revocation checking settings below do not take effect until the server is restarted.

Note

If you enable both OCSP and CRL checking, then OCSP will always be tried first. If the revocation status cannot be determined using OCSP, the validation will fall back to using CRL.

Enable Online Certificate Status Protocol (OCSP)

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. Use this option to specify Online Certificate Status Protocol (OCSP) settings that verify the TLS client certificate chain. OCSP is an alternative to Certificate Revocation Lists (CRLs), and is often implemented in a Public Key Infrastructure (PKI).

An OCSP server, also called a responder, may return a signed response signifying that the certificate specified in the request is good, revoked, or unknown. If it cannot process the request, it may return an error code.

When you check Enable Online Certificate Status Protocol (OCSP), the OCSP server URL (specified in the AIA extension of a certificate) is used to check the certificate revocation status using OCSP. The Authority Information Access (AIA) extension indicates how to access Certificate Authority information and services for the issuer of the certificate in which the extension appears.

Enable Certificate Revocation List (CRL)

Use this option when the revocation status cannot be determined using OCSP.

When you check Enable Certificate Revocation List (CRL), the CRL server URL (specified in the CRLDP extension of a certificate) is used to retrieve the Certificate Revocation List. The CRL Distribution Point (CRLDP) extension indicates how to access Certificate Authority information and services for the issuer of the certificate in which the extension appears.