--- title: Fingerprint Certificate Mapper description: The Fingerprint Certificate Mapper maps client certificates to user entries by looking for the fingerprint in a specified attribute of user entries. component: pingds version: 8.1 page_id: pingds:configref:objects-fingerprint-certificate-mapper canonical_url: https://docs.pingidentity.com/pingds/8.1/configref/objects-fingerprint-certificate-mapper.html section_ids: parent: Parent fingerprint_certificate_mapper_properties: Fingerprint Certificate Mapper properties basic_properties: Basic properties enabled: enabled fingerprint-algorithm: fingerprint-algorithm fingerprint-attribute: fingerprint-attribute issuer-attribute: issuer-attribute user-base-dn: user-base-dn advanced_properties: Advanced properties java-class: java-class --- # Fingerprint Certificate Mapper The Fingerprint Certificate Mapper maps client certificates to user entries by looking for the fingerprint in a specified attribute of user entries. ## Parent The Fingerprint Certificate Mapper object inherits from [Certificate Mapper](objects-certificate-mapper.html). ## Fingerprint Certificate Mapper properties You can use configuration expressions to set property values at startup time. For details, see [Property value substitution](expressions.html). | Basic Properties | Advanced Properties | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | | [enabled](#enabled) [fingerprint-algorithm](#fingerprint-algorithm) [fingerprint-attribute](#fingerprint-attribute) [issuer-attribute](#issuer-attribute) [user-base-dn](#user-base-dn) | [java-class](#java-class) | ### Basic properties Use the `--advanced` option to access advanced properties. ### enabled | | | | ----------------------- | ---------------------------------------------------- | | *Synopsis* | Indicates whether the Certificate Mapper is enabled. | | *Default value* | None | | *Allowed values* | truefalse | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### fingerprint-algorithm | | | | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the name of the digest algorithm to compute the fingerprint of client certificates. | | *Default value* | None | | *Allowed values* | * md5: Use the MD5 digest algorithm to compute certificate fingerprints. * sha1: Use the SHA-1 digest algorithm to compute certificate fingerprints. * sha256: Use the SHA-256 digest algorithm to compute certificate fingerprints. | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### fingerprint-attribute | | | | ----------------------- | ----------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the attribute in which to look for the fingerprint. | | *Description* | Values of the fingerprint attribute should exactly match the MD5 or SHA1 representation of the certificate fingerprint. | | *Default value* | None | | *Allowed values* | The name of an attribute type defined in the LDAP schema. | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### issuer-attribute | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *Synopsis* | Specifies the name or OID of the attribute whose value should exactly match the certificate issuer DN. | | *Description* | Certificate issuer verification should be enabled whenever multiple CAs are trusted in order to prevent impersonation. In particular, it is possible for different CAs to issue certificates having the same subject DN. | | *Default value* | The certificate issuer DN will not be verified. | | *Allowed values* | The name of an attribute type defined in the LDAP schema. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### user-base-dn | | | | ----------------------- | ---------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the set of base DNs below which to search for users. | | *Description* | The base DNs are used when performing searches to map the client certificates to a user entry. | | *Default value* | The server performs the search in all public naming contexts. | | *Allowed values* | A valid DN. | | *Multi-valued* | Yes | | *Required* | No | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ## Advanced properties Use the `--advanced` option to access advanced properties. ### java-class | | | | ----------------------- | --------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the fully-qualified name of the Java class that provides the Fingerprint Certificate Mapper implementation. | | *Default value* | org.opends.server.extensions.FingerprintCertificateMapper | | *Allowed values* | A Java class that extends or implements:- org.opends.server.api.CertificateMapper | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | The object must be disabled and re-enabled for changes to take effect. | | *Advanced* | Yes | | *Read-only* | No |