Register a User for PKI Authentication

Prerequisites: The user's PKI certificate (.cer) is available either to be imported as a standalone file or as a previously imported certificate (you will need the serial number for registration) to be assigned to the user.

  1. Follow the steps in Search for Users to search for the user.

  2. In the user’s Details page, select the Wallet tab.

  3. Click Register PKI.

  4. From the drop-down list, select the Authentication Policy and click Next.

    Note:
    • The available authentication policies depend on the user's User Type.
    • For the PKI Certificate Matching authentication policy, you are not prompted to bind a certificate or device to the user. Click Next and then Close to complete the registration.

  5. Select the assignment option for the certificate:

    1. Select the option Import Certificate and click Next.

    2. Click Browse.

    3. From the File Upload page, select the .cer file, and then click Open.

    4. Click Next.

    5. From the Device Type drop-down list, select PKI Container on Server.

    6. From the Credential Profile (the Credential Type) drop-down list, select:

      • PKI Challenge Response v1 for direct PKI authentication
      • PKI Certificate Check v1 for indirect PKI authentication.
      Note: For information about direct and indirect PKI authentication, see .

    7. Optionally, enter a Serial Number.

      The Serial Number can be used if you want to override the serial number of the certificate you are importing with another serial number. For example:

      • For a device-based PKI credential, you could enter the smart card serial number.
      • For a browser-based PKI credential, you could enter the unique serial number of the private key (.pfx or .p12).

    8. Optionally, enter a positive integer as an Issue Number to identify the user's credential.

      Note: The number is not checked during authentication. It is only used as part of your device identification scheme.

    9. Select the required Status from the drop-down list.

    10. Optionally, enter a Device Friendly Name.

    Prerequisites: You have imported the user's PKI certificate and have the serial number available.

    1. Select the Select a device for assignment option.

    2. Enter the Device Serial Number for the imported certificate and click Next.

      3. Note: If the device is unknown or has already been assigned to another user, then the following warning appears.

    3. Verify the certificate details are correct.

    4. Optionally, enter a Device Friendly Name.
    5. Click Next.

  6. Configure the Policy Settings, and click Save to complete the registration.
  7. Click Close.

The user’s Wallet is updated with the new PKI credential.

Note: If you registered the user for PKI Certificate Matching authentication, the status of the authenticator is red . When the user authenticates successfully for the first time, a device and credential will be created for the authenticator and the status passes to green .
Important: Make sure the user imports their certificate private key (.pfx or p.12) and the corresponding trusted Certificate Authority (CA) root certificate (.cer) into their browser's truststore.