--- title: Configuring virtual host trusted certificate groups description: Configure a virtual host trusted certificate group that can implement client certificate authentication. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_configuring_virtual_host_trusted_certificate_groups canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_configuring_virtual_host_trusted_certificate_groups.html revdate: February 13, 2023 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: --- # Configuring virtual host trusted certificate groups Configure a virtual host trusted certificate group that can implement client certificate authentication. ## About this task Assigning a trusted certificate group to a virtual host provides a mechanism to authenticate using client certificates during any request to sites using the specified virtual host. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Trusted certificate groups are applied at the host name level and are independent of the configured port. This means that a mapping to a virtual host of `*.example.com` will apply to requests received on virtual hosts `*.example.com:3000` and `*.example.com:443`. | ## Steps 1. Click **Applications**, then go to **Applications > Virtual Hosts**. 2. Click to expand the virtual host you want to modify. 3. Click the **Pencil** icon. Virtual hosts that have certificate authentication configured will display the message Client Certificate Authentication in the associated bar. 4. In the **Client Certificate Authentication** field, click the **Pencil** icon. 5. From the **Trusted Certificate Group** list, select the appropriate certificate group. You can select an existing trusted certificate group, or use one of the following options. ### Choose from: * **No Certificate Authentication** – Does not require certificate authentication. * **Java Trust Store** – Uses the Java Trust Store for certificate authentication. * **Trust Any** – Allows client authentication with any certificate including self-signed certificates. If you use the **Trust Any** method in production, you should log client certificates in the audit log. 6. To save the trusted certificate group settings, click **Save**. 7. To confirm your changes, click **Save**. 8. Add the following two [Groovy script rules](pa_adding_groovy_script_rules.html) to force validation of the server name indication (SNI) and client certificate chain. `Validate SNI` ``` if(exc?.getSslData()?.getSniServerNames()?.isEmpty()) { fail(); } else { pass(); } ``` `Validate client certificate chain` ``` if(exc?.getSslData()?.getClientCertificateChain()?.isEmpty()) { fail(); } else { pass(); } ``` 9. [Apply these rules](pa_applying_rules_to_apps_and_resources.html) to applications that use this virtual host.