Configuring a user for client certificate authentication

A station admin user performs this procedure to configure a new user account to use the ClientCertAuthScheme, and assign the user’s certificate with its public key to the user’s ClientCertAuthenticator.

  • You are working in a properly licensed Workbench installation.

  • You have already acquired the certificate with the public key created by the user.

This chapter provides a separate workflow for the user. It describes how to create a client certificate, export it with its public, then its private key, and install the certificate in a browser.

  1. In the Workbench Nav tree, expand the station’s Services > AuthenticationService > AuthenticationSchemes node.
  2. Open the clientCertAuth palette and drag the ClientCertAuthScheme to the AuthenticationSchemes folder.
  3. Expand the AuthenticationSchemes and double-click the ClientCertAuthScheme to open the Property Sheet view, and edit the default Login Button Text as needed.


    This login button is added to the login window for a browser station connection (in addition to any SSO login buttons for other configured SSO schemes).
  4. To create a new user, double-click UserService, and in the User Manager click New .
  5. To accept default entries for Type to add and Number to add, click OK in the configuration popup window.
  6. In the second configuration window. enter user details (include a password otherwise you will be prompted to enter one), click the Authentication Scheme Name drop-down list, select the ClientCertAuthScheme, and click OK.
    At this point, you may see the following messages. If so, disregard the messages, click OK to close each popup window, and continue with the next step.

    The new user is added in the User Manager view.

  7. Double-click the new user to open a Property Sheet view, and click to expand Authenticator.
  8. Under Certificate, click Choose File to open a File Chooser window, browse to locate and select the user-provided public certificate (*.pem) file and click OK.
    A notice appears alerting you that the user’s certificate change will prevent them from connecting until the FoxService and WebService are restarted.

  9. Click Save.
    The Save action triggers a timer to restart the Fox and Web services in two-minutes. You can also restart the services manually. The restart is necessary for your changes to take effect.
After this configuration is successfully completed, when the user attempts to log in to the station via a browser, the browser first prompts the user to select the private certificate to use to authenticate to the station. Next, the browser displays the station pre-login window where the user clicks the Login With ClientCertAuth button and immediately authenticates to the station. There is no need to enter username and password credentials. For more details, refer to the procedure “Logging in via browser using client certificate authentication”.