SSL configuration

The User Certificate Authentication feature depends on the use of the Secure Sockets Layer (SSL) for authentication purposes. You can host your application only on HTTPS, unless a reverse proxy is being used.

For more information about how to configure SSL, see WebSphere Application Server and Liberty profile requirements.

The User Certificate Authentication feature requires integration with a public key infrastructure (PKI). For the embedded PKI option, you must provide a certificate authority (CA) that can be used to generate the client X.509 certificates.

Certificates and CAs

Client certificates that are issued to the user by the User Certificate Authentication feature can be signed by a custom CA or a well-trusted CA through your PKI. Server-side certificates can be signed by either type of CA.

If you encounter errors with certificates that are not signed by well-trusted CAs, see Configuring SSL by using untrusted certificates.
Restriction: Self-signed certificates are not supported.

For more information about how to use and create an intermediate CA to sign both the server and client certificates, see the tutorials on the Getting Started page.

Certificate chains, keystore, and truststore

You must set the server certificate as the MobileFirst Server keystore. Also, set the clients certificate-signing CA as part of the truststore so that the server can trust the client certificates. For more information about setting up the server with these certificates, see WebSphere Application Server and Liberty profile requirements.
Note: If you use intermediate custom CAs, ensure that you concatenate the server certificate with the certificate chain. When you create the server certificate, use the following order:
Server certificate -> intermediate(s) in order -> trust anchor
The following example works in Mac OS X and Linux, and concatenates the server certificate with one intermediate CA and the trust anchor (root CA):
cat server/server.crt signingca/signing_ca.crt rootca/root_ca.crt > server_chain.crt
Parent topic: User certificate authentication on the server