3.3 Configuring Certificate Matching

Configuration Level: Global, Container, User

User objects must be configured with the proper certificate information for login.

  1. Using iManager, in the Roles and Tasks view, select Smart Card Login > User Settings.

  2. Fill in the information according to the type of certificate matching used.

Certificate matching specifies what part of the certificate presented during login is matched to the target user account. There are four options:

3.3.1 Subject Name Matching

You need to configure the subject name from the login certificate for the user object.

  1. Click Add, then specify the subject name.

    The subject name can be entered directly, read from a smart card in an attached card reader, or read from a certificate file. DER and PEM certificate files are supported.

  2. If you want to make this a temporary subject, select Make this a temporary subject. For more information on temporary subjects and certificates, see Section 3.3.4, Temporary Certificates.

  3. Click OK.

Figure 3-2 Add Subject Name Page

Figure 3-3 is an example of a User object properly configured for subject name matching:

Figure 3-3 Subject Name Matching Page

Subject name matching checks the subject name of the login certificate against the subject names configured for the user object. Matching by a certificate subject name is less restrictive than matching by a specific certificate.

3.3.2 Certificate Matching

You need to configure the specific login certificate for the User object.

  1. Click Add, then specify the certificate.

    The certificate can be read from a smart card in an attached card reader, or read from a certificate file. DER and PEM certificate files are supported.

  2. If you want to make this a temporary certificate, select Make this a temporary certificate. For more information on subjects and certificates, see Section 3.3.4, Temporary Certificates.

  3. Click OK.

Figure 3-4 Add a Certificate Page

Figure 3-5 is an example of a User object properly configured for certificate matching:

Figure 3-5 Certificate Matching Page

Certificate matching checks the login certificate against the list of certificates configured for the user object. Certificate‑based matching is more restrictive than subject name matching because only a configured certificate can be used for login.

3.3.3 No Matching

No matching means no part of the login certificate must be configured on the target user account. Typically, this option is not used for regular user accounts. A potential use would be for guest accounts. A guest account could be configured as no matching, and then anyone with a valid certificate could log in to the account.

3.3.4 Temporary Certificates

A temporary classification can be assigned to certificates or subject names. You do this by selecting the Make this a temporary subject check box when adding the certificate information. This can be useful in situations where a temporary smart card is assigned to an individual. A typical case might be when an individual misplaces or forgets his or her regular smart card. In this situation, a temporary smart card can be issued to the individual and configured for a short period of time.

A temporary certificate is valid until the specified expiration date. The user is only able to log in using the temporary certificate. If the user attempts a login by using his or her normal certificate, the login fails. After the temporary certificate expiration date passes, the user can log in again by using the regular certificate. Expired temporary certificate information is automatically deleted from the User object.

Figure 3-6 shows a User object configured with a temporary certificate subject name. The regular information still exists for the user, but the temporary configuration overrides it until the expiration date.

Figure 3-6 Temporary Certificate Subject Name Page