---
title: Sample OGNL expressions
description: The X.509 Certificate Integration Kit allows you to use Object Graph Navigation Library (OGNL) expressions to map attributes from X.509 certificates.
component: x509
page_id: x509:x509_certificate_integration_kit:pf_x509_certificate_ik_sample_ognl_expressions
canonical_url: https://docs.pingidentity.com/integrations/x509/x509_certificate_integration_kit/pf_x509_certificate_ik_sample_ognl_expressions.html
revdate: June 17, 2024
---

# Sample OGNL expressions

The X.509 Certificate Integration Kit allows you to use Object Graph Navigation Library (OGNL) expressions to map attributes from X.509 certificates.

Client certificates are available as `java.security.cert.X509Certificate` objects. This allows you to map certificate attributes by using methods that are defined in the Java Platform, Standard Edition API Specification. You can find a full list of available methods in [the J2SE online javadoc](https://docs.oracle.com/javase/8/docs/api/).

To get the first client certificate in the chain as an `X509Certificate` object, you must use the `ClientCertificateChain` keyword within the OGNL expression. For example:

```javascript
#this.get("ClientCertificateChain").getObjectValue()
```

To get the entire client certificate chain as an iterable collection of `X509Certificate` objects, use the `getAllObjectValues()` method in the OGNL expression. For example:

```javascript
#this.get("ClientCertificateChain").getAllObjectValues()
```

The following table lists example OGNL expressions you can use to map certificate attributes during the setup or deployment of the X.509 Certificate Adapter. Learn more about using OGNL for attribute mapping in [Attribute mapping expressions](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_attribute_mapping_expressions.html) in the PingFederate documentation.

| OGNL Expression                                                                                                                                                                                                       | Description                                                                                                                                                                                                                                        |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ```javascript
#x509Cert = #this.get("ClientCertificateChain").getObjectValue(),
#hexEncoded = new String
(@org.apache.commons.codec.binary.Hex@encodeHex
(#x509Cert.getSignature()))
```                              | Returns a hex-encoded signature from the X.509 client certificate.                                                                                                                                                                                 |
| ```javascript
#x509Cert =
#this.get("ClientCertificateChain").getObjectValue(),
#hexEncoded = new String
(@org.apache.commons.codec.binary.Hex@encodeHex
(#x509Cert.getExtensionValue("2.16.840.1.113730.1.13")))
``` | Extracts the comment certificate extension (Object Identifier (OID) 2.16.840.1.113730.1.13) from the X.509 client certificate, which is then hex encoded.Other certificate extensions can be extracted by using the correct OID for the extension. |