Enrolling your certificate for Certificate Authentication

If your administrator has configured your account for Certificate Authentication as part of IBM® MFA Out-of-Band, you must enroll your certificate before you can use it to log on.

Before you begin

It is a Best Practice to clear your Windows system SSL state before enrolling your certificate. To do this, select Control Panel > Internet Options > Content > Clear SSL State.

In addition, from Control Panel > Internet Options > Content > Advanced, ensure that Use "SSL 2.0" and "Use SSL 3.0" are both unchecked.

About this task

You must enroll your certificate before you can use it to log on with Certificate Authentication. The process requires action by both the administrator and the user, and the actions must occur in the correct sequence. Perform these steps only as directed by your administrator.
Note: This procedure has been verified with Microsoft Internet Explorer and Google Chrome.

Procedure

  1. Clear your Windows system SSL state.
  2. When instructed to do so by your administrator, begin the Certificate Authentication logon process at the web server login page provided by the administrator, such as https://servername:port/AZFCERT1/enroll.
     Use your RACF userid to access the IBM MFA Out of Band login interface.
    
    User ID:
    Password:
    	
  3. On the Enrollment page, click on "Begin Certificate Enrollment."
                     AZFCERT1 Enrollment
               Ensure that you have a certificate available to enroll.
                              AZFCERT1
                   Begin Certificate Enrollment
  4. Select the certificate you want to use to log in and click OK. Your security administrator will typically provide guidance on which certificate to use.
    Note: If you are using Internet Explorer, be aware that the Windows Internet Options "Don't prompt for client certificate selection when only one certificate exists" setting can result in your not having to choose a certificate. The "Don't prompt for client certificate selection when only one certificate exists" setting is typically controlled by the system administrator.
    For PIV/CAC or other smart cards, you must then enter your valid PIN.
    Note: If you receive an error indicating that the server certificate is invalid, it is more likely that the certificate you chose is invalid.
  5. If successful, you receive a message indicating the certificate enrollment succeeded and to await further instruction from the administrator.
                AZFCERT1 Enrollment
        Ensure that you have a certificate available to enroll.
    
        AZFCERT1 -[Succeeded]
    Certificate enrollment succeeded. Your certificate is tagged for Review. 
    An administrator will notify you when it is Approved. Please close
    your browser window.
    The administrator will tell you when you can use the certificate to log on, as described in Logging in to an application with IBM MFA Out-of-Band.
  6. Close the browser window to end the session.