X.509 User Certificate Provider

Use an X.509 User Certificate provider when clients are authenticated using HTTPS and X.509 certificates for mutual authentication.

A client has already authenticated at the HTTPS protocol layer before this provider is called. This provider validates that the client's certificate is:
  • Signed by a trusted certificate authority
  • Not expired
  • Not revoked, as verified by Java support for the Online Certificate Status Protocol (OCSP) and the Certificate Revocation Lists Distribution Point (CRLDP)

If a certificate validates, authentication succeeds. The server must receive the client request via HTTPS and a mutual authentication listener. An X.509 User Certificate provider can create a subject principal; the principal name is the fully qualified SubjectDN in the user's certificate. You can use the subject principal name with the UserRoleAuthorizer to grant roles to this user.