CA Configuration (clientCertAuth-CAConfiguration)

This component describes which CA should have signed the client certificates, to which rules the client certificate must conform (for example, required extension or key size), and how to find the username in the client certificate.

Name	Value	Description
CA Cert and CRL	text	Specifies the CA that must have signed the client certificates, and can be configured to use Certificate Revocation Lists (CRL) to allow revoked certificates to be rejected on login (see "driver-CaCertAndCrl" component)
Username Extractor Type Selection	drop-down menu	Determines how to find the username in the client certificate. The following options are available: UsernameExtractorCNFromDirectoryNameSan: Looks for the username in the Common Name (CN) of a Directory Name (DN) Subjective Alternative Name (SAN) UsernameExtractorCNFromSubjectDN: Looks for the username in the Common Name (CN) of the client certificate's Subject DN. UsernameExtractorEmailAddressSan: Looks for the username in an email format Subject Alternative Name extension. The entire email address (name@domain.com) will be used. UsernameExtractorEmailUserSan: Looks for the username in an email format Subject Alternative Name extension. Only the username portion of the email address will be used (for example, if the email address is name@domain.com, "name" will be used as the username). UsernameExtractorUPNSan: Looks for the username in a UPN format Subject Alternative name.
Validation Rules	drop-down menu	Contains validation rules that determine to what rules the client certificate must conform. By default, the Validation Rules folder from the clientCertAuth palette contains an Extended Key Usage validation Rule, which you can remove or replace by adding others. The following validation rules are supported: Extended Key Usage Validation Rule: If configured, the client certificate must contain the specified Extended Key Usage extensions. Smart Card and TLS Web Client are common options and are available as Boolean properties, but custom extension OIDs can also be added. Multiple OIDs can be specified, separated by semi-colons. Key Size Validation Rule: If configured, the key size of the client certificate must be at least as big as ("minimum" setting) or exactly ("exact" setting) than the specified key size. Key Algorithm Validation Rule: If configured, the key algorithm must be one of the algorithms specified in the semicolon-separated list.

Name

Value

Description

CA Cert and CRL

text

Specifies the CA that must have signed the client certificates, and can be configured to use Certificate Revocation Lists (CRL) to allow revoked certificates to be rejected on login (see "driver-CaCertAndCrl" component)

Username Extractor Type Selection

drop-down menu

Determines how to find the username in the client certificate. The following options are available:

UsernameExtractorCNFromDirectoryNameSan: Looks for the username in the Common Name (CN) of a Directory Name (DN) Subjective Alternative Name (SAN)
UsernameExtractorCNFromSubjectDN: Looks for the username in the Common Name (CN) of the client certificate's Subject DN.
UsernameExtractorEmailAddressSan: Looks for the username in an email format Subject Alternative Name extension. The entire email address (name@domain.com) will be used.
UsernameExtractorEmailUserSan: Looks for the username in an email format Subject Alternative Name extension. Only the username portion of the email address will be used (for example, if the email address is name@domain.com, "name" will be used as the username).
UsernameExtractorUPNSan: Looks for the username in a UPN format Subject Alternative name.

Validation Rules

drop-down menu

Contains validation rules that determine to what rules the client certificate must conform. By default, the Validation Rules folder from the clientCertAuth palette contains an Extended Key Usage validation Rule, which you can remove or replace by adding others. The following validation rules are supported:

Extended Key Usage Validation Rule: If configured, the client certificate must contain the specified Extended Key Usage extensions. Smart Card and TLS Web Client are common options and are available as Boolean properties, but custom extension OIDs can also be added. Multiple OIDs can be specified, separated by semi-colons.

Key Size Validation Rule: If configured, the key size of the client certificate must be at least as big as ("minimum" setting) or exactly ("exact" setting) than the specified key size.

Key Algorithm Validation Rule: If configured, the key algorithm must be one of the algorithms specified in the semicolon-separated list.