7.2 Mutual SSL with X.509 Produces Untrusted Chain Messages

When you set up an X.509 contract for mutual SSL authentication, you must ensure that the Identity Server trust store (NIDP-truststore) contains the trusted root from each CA that has signed the client certificates. If a client has a certificate signed by a CA that is not in the Identity Server Trust Store, authentication fails.

To add a certificate to the Identity Server Trust Store:

  1. In the Administration Console, click Devices > Identity Servers > Edit > Security > NIDP Trust Store.

  2. Click either Add or Auto-Import From Server and follow the prompts.