Client-Certificate Authentication

Users imported from AD and LDAP directories can log in to PrivX using SSL certificates. Such certificates may be for example from users' smart cards, or from client certificates imported to browsers.


  • The users' client certificates must include a Subject Alternative Name that matches their User Principal Name in PrivX.

Client-Certificate-Authentication Setup

To enable certificate authentication for users from a certain directory:

  1. In the PrivX GUI on the Settings→Directories page, Edit a AD or LDAP directory to display its settings.

  2. Expand Advanced directory settings. Then under Multi-Factor authentication settings, enable Client certificate authentication. You must also provide Trust anchors: the certificates of those CAs who issued the users' certificates.

    Click Save to apply the new settings. Certificate authentication is enabled for users belonging to the directory.

Logging In with Client-Certificate Authentication

After certificate authentication is enabled, users can log into PrivX as follows:

  1. Ensure that your client certificate is available. For example, that your smart card is inserted and read properly, or your certificate is imported to the browser.

  2. Access the PrivX-login page. If prompted by your browser, provide your client certificate.

    For successful login, the Subject Alternative Name in your client certificate must specify your User Principal Name.

    After providing a valid client certificate you will be logged into PrivX.

Was this page helpful?