Just spent a while troubleshooting why my browser wouldn’t ask me for the client certificate even when I went to a certificate protected webseal instance. After a while, I worked it out, and thought I’d make a note of it here. Title Note: It was actually happening on both Firefox AND Internet Explorer.
- forms-auth = https
- require-client-cert = optional
- Client certificate mapping rule defined from here.
Everytime I accessed the page, both Firefox and Internet Explorer would just display the login page:
After checking and rechecking what I had done to configure client – authentication (it’s really pretty simple after all) I was scratching my head. Turns out, I hadn’t deployed the change from adding the CA certificate into the SSL Certificate keystore pdsrv.kdb.
Once I had deployed that, Firefox was my friend again!
So it would seem that when asking for client authentication, WebSEAL will tell your browser which CA’s it will accept certificates from, and therefore your browser will only offer a cert in the event it has one that matches.