Configuring Certificate Based Authentication

This section provides instructions on how to configure Certificate Based Authentication in OpenIAM in simple steps.

  1. Create Certificate Authority (CA) to create and sign Certificates, that will be used in authentication This can be done using Linux command prompt and commands as follows:
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
echo -n "00" >

Enter CA password (not less than 4 symbols) and CA info. For example:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:NewYork
Organization Name (e.g., company) [Internet Widgits Pty Ltd]:OpenIAM
Organizational Unit Name (e.g., section) []:development
Common Name (e.g. server FQDN or YOUR name) []:*
Email Address []

ca.key is a private key and should be stored in safe place. It will be used to sign client's certificates. ca.crt is a certificate that should be installed in Apache and in client browser. is a file that store current serial that should be increased every time new client certificate is signed.

  1. Create client certificate

2.1 Create sign request (CSR):

openssl genrsa -out user1.key 2048
openssl req -new -key user1.key -out user1.csr

You will be prompted for key password and Certificate info. For example:

Country Name (2-digit code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (e.g. city) []:NewYork
Organization Name (e.g. company) [Internet Widgits Pty Ltd]:OpenIAM
Organizational Unit Name (e.g. section) []:development
Common Name (e.g. server FQDN or YOUR name) []:user1
Email Address []

2.2 Sign CSR using CA.

openssl x509 -req -days 365 -in user1.csr -CA ca.crt -CAkey ca.key -CAserial -out user1.crt

2.3 Using PEM certificate in curl or from applications

To use PEM certificate in curl or from applications, you need to create PEM certificate that will contain both certificate and key. To use it without user interaction, you also need to clear PEM password in a key.

To remove PEM passphrase from key, if it exists, and to combine user1.crt with key without passphrase, use the following.

openssl rsa -in user1.key -out user1.no_pass.key
cat user1.crt > user1.pem
cat user1.no_pass.key >> user1.pem

Now it is possible to usr user1.pem in curl requests (in --cert parameter):

curl -k —cert user1.pem
  1. Convert client certificate to pksc12 format that can be used for import into browser. This only needed if you want to use client certificate from browser.
openssl pkcs12 -export -clcerts -in user1.crt -inkey user1.key -out user1.p12

You will be prompted for Export Password:

Enter Export Password:
Verifying - Enter Export Password:

Generate and use your new Export Password here. You will need it to add your .p12 certificate into browser.

The user1.p12 and ca.crt files need to be copied to client's computer and installed in browser. User also will need Export Password to add user1.p12 into browser.

  1. Configure Apache This step is only needed if you want to use client certificate from browser.

https should be already configured on Apache. To configure using client certificates in it, follow the next steps.

4.1 Configure CA bundle on linux box with apache installed

Do not overwrite /etc/pki/tls/certs/ca-bundle.crt!

Create backup and use >> to append data instead of overwrite.

openssl x509 -in ca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt

4.2 Add or check that this line is already added in Apache ssl configs:

SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

4.3 Add this configs in virtual host config. It'll inform client's browser to send client certificate in requests:

SSLVerifyClient optional

Note that Apache should be configured to use https to be able to send client's certificate to server. Otherwise, http will not work.

4.4 Restart Apache

service httpd restart

  1. Configure Authentication Provider

Navigate to the the current Authentication Provider, and enable Certificate Based Authentication, as shown in figures below.

Auth Provider Configuring

Default Auth Ptovider

Now, there exist two options:

  • Add a Regular Expression to the Certificate. This will assume that the matching group in the Regex is the principal. The Regular Expression in the example is: CN=(.*?); or
  • Define a Custom Groovy Script, which will have custom logic to parse the Certificate to get the principal.

Supporting certificate auth

5.1 Optional step: Configure CA Validation script

The ExampleDefaultCACertCheck.groovy is:

import org.openiam.exception.BasicDataServiceException;
import org.openiam.idm.srvc.auth.dto.Login;
import org.apache.commons.lang.StringUtils;
import; import java.nio.file.Files;
class ExampleCACertCheck extends DefaultCACertCheck {
public ExampleCACertCheck() { super(); }
public Boolean resolve() throws BasicDataServiceException {
try {
} catch (Exception ex) {
throw new BasicDataServiceException(ResponseCode.CERT_CLIENT_INVALID, ex.getMessage());
if (caCert != null) {
try {
} catch (Exception ex) {
throw new BasicDataServiceException(ResponseCode.CERT_CA_INVALID, ex.getMessage());
try {
} catch (Exception ex) {
throw new BasicDataServiceException(ResponseCode.CERT_INVALID_VERIFY_WITH_CA, ex.getMessage()); }
} else {
throw new BasicDataServiceException(ResponseCode.CERT_CA_INVALID, ex.getMessage()); } return true; }
  1. Configure Content Provider

You can do so in the Content Provider Screen. Navigate to Authentication Levels and add 'Certificate Authentication' as shown below.

Content provider Add Auth level

If you see warning pop up about modifying default settings, as shown below, click 'Yes':


Add 'Certificate Authentication' using steps, described below:

Add CertAuth Save CertAuth

Enabling Certificate Based Authentication for a Specific URI pattern can be done in the URI Pattern screen.

  1. Configure client's browser

User will need to copy user1.p12 and ca.crt files on local computer and install them in browser: browser will check user1.p12 using ca.crt before send it in request. This is why you need to install both.

7.1 Installing ca.crt into browser

Go to certificates config:

Certificates Config Authorities

and import ca.crt in Authorities, as follows.


7.2 Install user1.p12 into 'Your Certificates'

YourCertificates SelectUser1

You will also need Export Password that you used when creating a .p12 file.


After, check that user certificate was added, as follows.


7.3 Finishing steps

Now restart browser and then hit an url with configured 'Certificate Authentication' and then client certificate will be send to server.

Click 'OK' and you will see this dialog to send your certificate to server.