Creating the client truststore

The client truststore is a single file in the location of your choice that contains the IBM® MFA server certificate authority (CA) public certificate. You must create this truststore so that the client trusts the server.

About this task

The server CA public certificate must be in the Privacy Enhanced Mail (PEM) format.

Note: The process to obtain the server CA public certificate varies by vendor and application. This procedure assumes that you are using a public certificate authority. It is strongly recommended that you use a certificate issued by a well-known certificate authority. When ordering server certificates to use with IBM MFA, ensure that you specify Subject Alternate Names that cover all names that a user might enter in the browser to access the server.

Optional: Creating test root and server certificates describes the optional case of creating your own certificate authority (CA) root certificate if needed for testing purposes.

To create the truststore, complete the following steps on the IBM MFA server system:


  1. Obtain the server CA certificate.
  2. If the server CA certificate is not already in the PEM format, convert it. For example, if the certificate is currently in the Distinguished Encoding Rules (DER) format, you can use the following openssl x509 command to convert it.
    openssl x509 -in server_ca.cer -inform der -outform pem -out server_ca.pem
  3. Use the secure copy (scp) command to copy the resulting file to the location of your choice on the IBM MFA client system.
  4. This PEM file is the truststore. You must specify its location when you edit the IBM MFA PAM module as described in Editing the IBM MFA PAM modules.