---
title: Certificate mapping
description: The PingDirectory server uses a component called a certificate mapper to identify the user entry that corresponds to a given certificate, such as in the course of processing a bind using the EXTERNAL or UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism.
component: pingdirectory
version: 11.1
page_id: pingdirectory:pingdirectory_security_guide:pd_sec_certificate_mapping
canonical_url: https://docs.pingidentity.com/pingdirectory/11.1/pingdirectory_security_guide/pd_sec_certificate_mapping.html
llms_txt: https://docs.pingidentity.com/pingdirectory/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: September 13, 2023
---

# Certificate mapping

The PingDirectory server uses a component called a certificate mapper to identify the user entry that corresponds to a given certificate, such as in the course of processing a bind using the EXTERNAL or UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism.

The types of certificate mappers that it offers by default include:

* Subject Equals DN

  This certificate mapper expects the subject DN of the certificate to match the distinguished name (DN) of the corresponding user entry.

* Subject Attribute to User Attribute

  This certificate mapper extracts the values of a specified set of attributes from the certificate subject and search for an entry containing those values in a corresponding set of attributes. The default instance of this certificate mapper tries to map the CN attribute from the certificate's subject to the `cn` attribute in the user's entry, or the `E` attribute in the certificate's subject to the mail attribute in the user's entry.

* Subject DN to User Attribute

  This certificate mapper expects the user's entry to contain a specified attribute whose value matches the subject DN of the presented certificate.

* Fingerprint

  This certificate mapper expects the user's entry to contain a specified attribute whose value matches the SHA-256, SHA-1, or MD5 fingerprint of the presented certificate.

You can also use the UnboundID Server SDK to create custom certificate mapper implementations.
