Configuring managed client certificates

Customers can upload a Root CA certificate that will be used to validate if a client cert presented by a user during the SAML 2.0 authentication process is legitimate.

Note: For Microsoft apps that support client certificate based authentication, refer to the list on the Microsoft 365 Client App Support.

Steps

  1. Login to the Forcepoint ONE SSE portal and navigate to the Protect > Forward Proxy > Device Profiling Proxy page.
  2. Under Managed Devices section:
    1. Enable the Login Policy Certificate Checking option.
    2. Click Choose File next to Upload Root CA Certificate and find the cert file (Root CA) you wish to upload. Select it then save your changes.
      • The uploaded cert must be a Root CA (certificate authority).
      • The Root CA must be in PEM or DER format.
      • The Root CA that you upload must be the one which signed the client certs deployed to managed devices.
        Note: If the client certs you deployed are part of an internal CA chain, you must include all of the CA certs in the chain in the uploaded file. The intermediate CA should be the first cert in the file followed by the Root CA. The intermediate CA serial number will be displayed as the Current Certificate Serial.
    Once you have uploaded the Root CA, you can push the client certs through to your managed devices using, for example, the Active directory group policy. Once pushed, you then need to create policy.