Configuring certificate authentication

You must configure the certificate settings to use this authentication method.

You can optionally configure the Certificate settings to notify an administrator by email when a user enrolls a certificate.

To configure the Certificate authentication method, complete the following steps:

Use the following table to specify the certificate authentication method:

Table 1. Certificate Authentication Method
Setting	Description
Initial Trace Level	The trace level used for tracing events within the AZFCERT1 plug-in. Valid values are 0 - 3, where the higher number increases the level of verbosity. The default value is zero.
Require Exact Certificate	The possible settings are on and off. By default, the client certificate must match the Subject DN and Issuer DN of the root CA certificate and a hash is created. This parameter addresses the scenario where the user gets a new certificate and the hash does not match. If set to On, the user certificate must match the hash, the Subject DN, and Issuer DN of the root CA certificate.
SMTP Server Address	Enter the host name or IP address of the Simple Mail Transfer Protocol (SMTP) server for outbound email.
SMTP Server Port	Enter the port number of the SMTP server.
SMTP Login User Id	Enter the user ID you want to use to log in to the SMTP server.
SMTP Login Password	Enter the password for the user ID you want to use to log in to the SMTP server.
Recipient Email Address	Enter the email address to be notified when a user enrolls a certificate.
Email Reply-to Address	Enter the email address used to send the email notification.

Optionally, enable OCSP validation, as described in Enabling OCSP validation.
Click Save.
Select the Settings > Server Options.
Set the Enable certificate services control.
Restart the IBM PowerSC MFA daemon, as described in Restarting the IBM PowerSC MFA server.