When you set up an X.509 contract for mutual SSL authentication, you must ensure that Identity Server trust store (NIDP-truststore) contains the trusted root from each CA that has signed the client certificates. If a client has a certificate signed by a CA that is not in Identity Server Trust Store, authentication fails.
To add a certificate to Identity Server Trust Store:
Click Devices > Identity Servers > Edit > Security > NIDP Trust Store.
Click Add or Auto-Import From Server and follow the prompts.