Administrator Help

Using Client Certificate Authentication

Use the Create & Download Client Certificates page to issue Client Authentication Certificates to users.


To use Client Certificate Authentication, your site must be configured to use IP address restrictions with Basic authentication. See Configuring IP Address Restrictions and Basic Authentication.
To create client certificates for users, each user must first be authorized to use the service.
  • To allow the service for one user, on the Edit User page, select Client Certificate Authentication. See Adding or Editing Users.
  • To allow the service for a group of users, select the users on the Services & Users page. See Assigning Services to Users.

Viewing Authorized Users

To view users who are authorized to use the Client Certificate Authentication service:
  1. Select a department from the Departments list.
  2. Select Unissued, Valid, or Expired from the options at the top.
    • Users in the selected category display in the list, which shows their display name and the expiration date and time of the certificate.
    • If a department or category contains no authorized users, no users show in the list.

Creating Client Certificates

To create client certificates for users:
  1. Select the department to which the target users belong.
    If the users are not members of any department, select Unassigned Users or All Users.
  2. Select a client certificate status from the following:
    • Unissued: Issues client certificates for the users who have never been issued certificates.
    • Valid: Issues new client certificates for the users who have valid certificates.
    • Expired: Issues new client certificates for the users who do not have valid certificates.
  3. Select the check boxes next to the target users display names.
  4. Change the expiration date of the client certificates if necessary.
  5. Select whether to disable all prior client certificates of the users.
    • To disable all prior client certificates of the users whose certificates are being re-issued, select the check box.
    • To allow older certificates to continue to be used, clear the check box.
  6. Click Create.
  7. If you want to download the certificates yourself, click Download, navigate to a location and save the zip file.
    The zip file contains one zip file per user containing the client certificate and password.
  • Once you created a client certificate, you cannot change its expiration date.
  • Internet Explorer and iPhone Safari browsers may still be able to access for up to 10 minutes after the expiration of their client certificate, due to session cache reasons.

Downloading Certificates

Administrators can allow users to download their own certificates. You can grant users permission on the Download Permissions page. See Prohibiting Users from Downloading Their Client Certificates.
When a certificate is created, the Secure Remote Access page becomes available in the Account Settings menu on the portal. Administrators can view this page in the Display Name menu.
The Secure Remote Access page shows the link to download the client certificate file, the certificate expiration date, password, and access URL. Users can use this page to download their own certificates.
Once you have a certificate file, you need to install it in your Web browser. See Adding a client certificate in the Technical Information on the Cybozu manual site. Or, search your Web browser’s help system for instructions.
You can instead download a batch of certificates and install them in users’ browsers yourself.