--- title: Configuring an adapter instance description: Configure the X.509 Certificate IdP Adapter to determine how PingFederate handles X.509 certificates. component: x509 page_id: x509:x509_certificate_integration_kit:pf_x509_certificate_ik_configuring_an_adapter_instance canonical_url: https://docs.pingidentity.com/integrations/x509/x509_certificate_integration_kit/pf_x509_certificate_ik_configuring_an_adapter_instance.html revdate: June 17, 2024 section_ids: steps: Steps --- # Configuring an adapter instance Configure the X.509 Certificate IdP Adapter to determine how PingFederate handles X.509 certificates. ## Steps 1. Sign on to the PingFederate administrative console. 2. On the **Identity Provider > Manage IdP Adapter Instances** page, click **Create New Instance**. 3. On the **Type** page, set the basic adapter instance attributes. 1. In the **Instance Name** field, enter a name for the adapter instance. 2. In the **Instance ID** field, enter a unique identifier for the adapter instance. 3. In the **Type** list, select **X.509 Certificate IdP Adapter**. Click **Next**. 4. (Optional) On the **IdP Adapter** page, in the **Constrain Acceptable Root Issuers** section, specify the certificate authority (CA) *(tooltip: \
\

An entity that issues digital certificates.\

\
)* that you want to use to validate end-user X.509 certificates. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Client certificates are always validated against all trusted CAs in PingFederate and the Java Virtual Machine (JVM) *(tooltip: \
\

A virtual machine that allows a computer to run Java programs and programs that are compiled to Java bytecode.\

\
)*. This section only restricts which issuers are used to validate end-user certificates. | 1. Click **Add a new row to Constrain Acceptable Root Issuers**. 2. In the **Issuer DN** field, enter the subject distinguished name (DN) *(tooltip: \
\

A name uniquely identifying an object within the hierarchy of a directory tree.\

\
)* of an issuer listed on the **Trusted CAs** page in PingFederate. Learn more about [Manage trusted certificate authorities](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_certmanagementtasklet_trustedcas_certmanagementstate.html) in the PingFederate documentation. 3. In the **Action** column, click **Update**. 4. To add more acceptable issuers, repeat steps a - c. 5. On the **IdP Adapter** screen, configure the adapter instance by referring to [X.509 Certificate IdP Adapter settings reference](pf_x509_certificate_ik_x509_certificate_idp_adapter_settings_reference.html). Click **Next**. 6. On the **Extended Contract** screen, add any attributes that you want to include in the extended contract. Enter attributes in uppercase. Only attributes specified in [RFC 2253](https://www.ietf.org/rfc/rfc2253.html#section-2.3) are allowed: `CN`, `L`, `ST`, `O`, `OU`, `C`, `STREET`, `DC`, and `UID`. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can include subject DN components in this list.If you selected **Parse Client Cert Subject and Issuer DNs** on the **IdP Adapter** page, you can also include the subject DN `email` component and issuer DN components.For issuer DN components, prefix the attribute with `issuer_`, such as `issuer_CN`. | 7. Complete the adapter configuration. 8. On the **Summary** page, verify that the configuration is correct. Click **Done**. 9. On the **Manage IdP Adapter Instances** page, click **Save**. 10. If you configured the **Client Auth Hostname** field, in `/pingfederate/server/default/data/config-store/session-cookie-config.xml`, add your domain with a preceding period to the ``, such as `.example.com`.