--- title: Enabling certificate-based authentication description: You can enable certificate-based authentication in the PingFederate administrative console. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_enabling_cert_based_auth canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_enabling_cert_based_auth.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps --- # Enabling certificate-based authentication You can enable certificate-based authentication in the PingFederate administrative console. ## Before you begin * Have a PingFederate username and password. * Import the necessary client key and certificate into the web browser you use to access PingFederate. ## About this task To enable client-certificate authentication, PingFederate administrative users must import an X.509 key and a suitable certificate for user authentication into their web browsers. In addition, the corresponding root certificate authority (CA) certificates must be contained in the Java runtime or the PingFederate trusted store. Other setup steps, including designating user permissions, must be completed by using configuration files located in the `/pingfederate/bin` directory. The roles configured in the properties file apply to both the administrative console and the administrative API. ## Steps 1. Sign on to the PingFederate console as a user with permissions that include the **Crypto Admin** role. 1) Ensure the client-certificate's root CA and any intermediate CA certificates are contained in the trusted store, either for the Java runtime or PingFederate. | | | | - | ---------------------------------------------------------------------------------------------------------- | | | You can import a certificate to PingFederate in **Security > Certificate & Key Management > Trusted CAs**. | | | | | - | ------------------------------------------------------------------------------------------------------------ | | | You might want to click the Serial Number and copy the Issuer distinguished name (DN) to use in later steps. | 2) In the `/pingfederate/bin/run.properties` file, change the value of the `pf.console.authentication` property as shown. `pf.console.authentication=cert` 3) In the `/pingfederate/bin/cert_auth.properties` file, enter the Issuer DN for the client certificate as a value for the property `rootca.issuer.x`, where `x` is a sequential number starting at `1`. | | | | - | --------------------------------------------------------------------------------------------------------------- | | | If you copied the Issuer DN after step 2, paste this value. For more information, see the comments in the file. | The roles configured in the properties file apply to both the administrative console and the administrative API. 4) Repeat the previous step for any additional CAs as needed. 5) Enter the certificate user's Subject DN for the applicable PingFederate permission roles, as described in the properties file. | | | | - | -------------------------------------------- | | | The configuration values are case-sensitive. | 6) Repeat the previous step for all users as needed. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------- | | | Other settings in the properties file are used to display the user's ID (Subject DN) in abbreviated form in the administrative console. | 7) Start or restart PingFederate.