When you set up an X.509 contract for mutual SSL authentication, you must ensure that the Identity Server trust store (NIDP-truststore) contains the trusted root from each CA that has signed the client certificates. If a client has a certificate signed by a CA that is not in the Identity Server Trust Store, authentication fails.
To add a certificate to the Identity Server Trust Store:
In the Administration Console, click> > > > .
Click eitheror and follow the prompts.