32.5.3 Mutual SSL with X.509 Produces Untrusted Chain Messages

When you set up an X.509 contract for mutual SSL authentication, you must ensure that Identity Server trust store (NIDP-truststore) contains the trusted root from each CA that has signed the client certificates. If a client has a certificate signed by a CA that is not in Identity Server Trust Store, authentication fails.

To add a certificate to Identity Server Trust Store:

  1. Click Devices > Identity Servers > Edit > Security > NIDP Trust Store.

  2. Click Add or Auto-Import From Server and follow the prompts.