PKI for X.509 Client Authentication

SSOCircle IDP offers several strong authentication methods. Client Certificate authentication is one of it. Please note that client certificates have nothing to do with the certificates used with SAML SSO.

In order to use client certificate authentication, you need to generate private/public key pairs and enroll for a SSOCircle CA signed client certificate. The enrollment process generates an X.509 certificate with the SSOCircle username as subject and binds it to the user.

We are currently offering #PKCS10 client signing request (CSR) enrollment, which is described in the blog entry at .

In addition to this mainly manual process, we offered an automatic key generation and enrollment process which was based on the HTML <keygen> tag or CertEnroll/XEnroll Active X component. As the support for these nifty tools was recently dropped by the major browser s (see our blog xxxx), we added a similar functionality which generates a RSA private/public key pair in the browser, enrolls for an X.509 certificate and provides a #PKCS12 certificate container which can imported in Certificate Managers of different browsers.

Quick start guide:

1. Login to SSOCircle and click on “My Client Certificate”, choose the link “Automatic key generation and certificate enrollment”, the form offers the selection of the key size and a password which is used to protect the #PKCS12 file. Click on “Generate RSA Key Pair and enroll X.509 client certificate”

2. After enrollment a link to save the #PKCS12 file locally in Chrome and Firefox is displayed, Edge and IE download the file automatically.enroll2

3a) firefox In Firefox follow these steps



3b. chromeedgeinternet-explorerOpen the file for use with Chrome, Edge or IE and follow the dialogue





4. If everything went fine, log out and login using the certificate