---
title: Certificate mapping
description: The PingDirectory server uses a component called a certificate mapper to identify the user entry that corresponds to a given certificate, such as in the course of processing a bind using the EXTERNAL or UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_security_guide:pd_sec_certificate_mapping
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_certificate_mapping.html
revdate: September 13, 2023
---

# Certificate mapping

The PingDirectory server uses a component called a certificate mapper to identify the user entry that corresponds to a given certificate, such as in the course of processing a bind using the EXTERNAL or UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism.

The types of certificate mappers that it offers by default include:

* Subject Equals DN

  This certificate mapper expects the subject DN of the certificate to match the distinguished name (DN) of the corresponding user entry.

* Subject Attribute to User Attribute

  This certificate mapper extracts the values of a specified set of attributes from the certificate subject and search for an entry containing those values in a corresponding set of attributes. The default instance of this certificate mapper tries to map the CN attribute from the certificate's subject to the `cn` attribute in the user's entry, or the `E` attribute in the certificate's subject to the mail attribute in the user's entry.

* Subject DN to User Attribute

  This certificate mapper expects the user's entry to contain a specified attribute whose value matches the subject DN of the presented certificate.

* Fingerprint

  This certificate mapper expects the user's entry to contain a specified attribute whose value matches the SHA-256, SHA-1, or MD5 fingerprint of the presented certificate.

You can also use the UnboundID Server SDK to create custom certificate mapper implementations.