Paste a Base64 encoded (PEM) certificate into the textarea below then click Validate Certificate
WARNING WARNING WARNING
You have accessed a U.S. Government information system, which includes (1) this computer, (2) this network, (3) all computers connected to this network, and (4) all devices and storage media attached to this network or to a computer on this network. U.S. Government information systems are provided for the processing of official U.S. Government information only. Unauthorized or improper use of this information system is prohibited and may subject you to disciplinary action, as well as civil and criminal penalties. All data contained on U.S. Government information systems is owned by the U.S. Government and may, for the purpose of protecting the rights and property of the U.S. Government, be monitored, intercepted, recorded, read, searched, copied, or captured in any manner and disclosed or used for any lawful government purpose at any time. THERE IS NO RIGHT TO PRIVACY IN THIS SYSTEM. System personnel may give to law enforcement officials any potential evidence of crime found on U.S. Government information systems. USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES YOUR UNDERSTANDING AND CONSENT TO THIS MONITORING, INTERCEPTION, RECORDING, READING, COPYING, OR CAPTURING AND DISCLOSURE.
X.509 Client Certificate Authentication
X.509 Client Authentication uses a certificate stored on your computer (SmartCard, PKI Token) to authenticate your identity.
When you access a website that requires X.509 client certificate authentication, the webserver requests a client certificate from your web browser. The web browser then interacts with the underlying Operating System to retrieve a client certificate. The Operating System can either directly interact with certificate storage devices (SmartCard, PKI Token) or use a third-party driver (ActivClient, iTray) to gain access to the client certificate. If multiple certificates are found that are marked as authentication certificates, the Operating System will display a pop-up with a list of the available certificates. Once a certificate has been selected, the Operating System will prompt for a PIN to unlock the private key associated with the authentication certificate. The certificate storage device will lock access to the private key if an invalid PIN is entered a set number of times (this number is determined by the SmartCard or PKI Token issuing agency).
Once the private key has been unlocked, the authentication certificate is passed to the web browser and the web browser then sends the authentication certificate to the webserver.
The web server validates the client certificate to ensure the certificate is not expired, is issued from a Certificate Authority that is trusted by the webserver, and that the certificate contains usage policies that are required by the webserver.
PIV and PIV-I certificates have special Policy OIDs contained in the certificate that ensures the certificate is stored on a hardware device (SmartCard). If the webserver requires a PIV or PIV-I certificate, the authentication certificate that is provided must contain the required PolicyOIDs, otherwise authentication will be denied, typically resulting in immediate termination of the HTTPS session. This will typically result in a page cannot be displayed error in the web browser.