IBM logoEnterprise Cloud Management SupportContact Us
ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Submit A QuestionSubmit A Question
RSS Feeds
Skip Navigation
DrillDown Icon Table of Contents
DrillDown Icon Enterprise Cloud
DrillDown Icon Release Notes
DrillDown Icon Known Issues
DrillDown Icon Policies
DrillDown Icon Registration and Login
DrillDown Icon Infinicenter Console
DrillDown Icon Environments
DrillDown Icon My Account
DrillDown Icon Settings Tab
DrillDown Icon Users Tab
DrillDown Icon Billing Tab
DrillDown Icon Transactions Tab
DrillDown Icon Bandwidth Tab
DrillDown Icon Keys Tab
DrillDown Icon Catalog Tab
DrillDown Icon Support Tab
DrillDown Icon Disaster Recovery Tab
DrillDown Icon Multi-Factor Authentication
DrillDown Icon Certificate-Based Authentication
DrillDown Icon Enterprise Cloud API
DrillDown Icon Best Practices
DrillDown Icon FAQs
DrillDown Icon Troubleshooting
DrillDown Icon Enterprise Cloud Managed Edition
DrillDown Icon Sales and Support
DrillDown Icon Proprietary Statement
  Email This ArticlePrint PreviewPrint Current Article and All Sub-Articles
Certificate-Based Authentication

Certificate-Based Authentication

Certificate-based authentication uses X.509 certificates in lieu of passwords as the personal identifier for user authentication. Certificate-based authentication is an option for organizations. Once enabled, certificate-based authentication can be applied to any or all users within the organization.


The International Telecommunication Union (ITU) Telecommunication Standardization Sector (ITU-T) defines the X.509 cryptography standard for public key infrastructure (PKI) that includes, among many others, a standard for public key certificates. A public key certificate is an electronic document that uses a cryptographic digital signature to bind a public key with an identity. The certificate can be used to verify that a public key belongs to an individual. The digital signature is that of a certification authority (CA) that attests to the validity of the certificate. The certificates can form a hierarchy of digital signatures from the individual up to a trusted anchor. If the certificate is valid, neither expired nor revoked, and issued by a trusted CA, then the user is authenticated and granted access.

With certificate-based authentication, the Enterprise Cloud requests users' credentials (certificate) via Infinicenter Console in a browser, the browser requests the credentials from the operating system, and the operating system provides the credentials, often from a smartcard. With smartcards, two-factor authentication is achieved: the Personal identification Number (PIN) to access the smartcard, which is "something you know," and the certificate on the smartcard identifying you, which is "something you have."

Note: While smartcards are common, organizations can permit any certificate available through the operating system to be used for certificate-based authentication. This is an implementation decision at the discretion of the organization.

Permitting use of certificate-based authentication is a two level process. First, an organization can enable certificate-based authentication. When enabled, the organization can conduct all user operations for establishing certificate-based authentication activities in Infinicenter Console. Second, an organization can activate certificate-based authentication. When activated, the Enterprise Cloud will require certificates of all users configured to use certificates-based authentication. Although two levels, an organization can enable and activate certificate-based authentication at the same time.

Separation of enablement and activation permits rapid changes in use of certificate-based authentication in the Enterprise Cloud. Should any problems occur with certificates, especially with the certificate of the trusted anchor, certificate-based authentication can be quickly deactivated. When deactivated, authentication returns to basic username and password authentication and, if licensed and configured, telephone multi-factor authentication. Because of this fallback feature of deactivation, users' passwords and telephone multi-factor authentication settings, where the latter is used, are preserved after enabling and activating certificate-based authentication.

Note: For an organization with certificate-based authentication activated, Global Support Services staff must use telephone multi-factor authentication to access that organization's environments.

The Enterprise Cloud uses a certificate store in digitalOps v2.0 when verifying the certificate submitted by a user. To use certificate-based authentication, organizations must provide to IBM the certificates of all certification authorities that signed the certificates of their users and the certificates must be uploaded to digitalOps v2.0. Certificates are defined in Distinguished Encoding Rules (DER) form and must be presented to digitalOps v2.0 in Privacy Enhanced Mail (PEM) or cer format. While certificates can be expressed in several other formats, only PEM and cer are accepted. PEM encodes the DER certificate using base64 while cer is typically binary. PEM permits multiple certificates to be carried in a single file while cer can carry only a single certificate.

Note: Organizations submit only the certificates of their certification authorities. Client certificates are neither required nor accepted by digitalOps v2.0.


Certificate-based authentication has an associated fee to implement the certificates; while enabling certificate-based authentication with the Enterprise Cloud has no fee, each certificate imported has a fee. To request certificate-based authentication, contact your service delivery manager. If you have no assigned service delivery manager, request it through support. The service delivery manager, or support representative, will notify the organization when certificate-based authentication has been enabled.

This process is repeated for activating or deactivating certificate-based authentication.

Manage Certificates

Organizations must provide IBM the certificates of every certification authority that signed the certificates of users of Infinicenter Console and for whom certificate-based authentication is desired. If any of the certificates of certification authorities is signed by another certification authority, the certificate of that authority must also be provided. That is, if a hierarchy of certification authorities exists, all the certificates in the hierarchy must be provided. Organizations must also identify the trust anchor, the certificate of the topmost or trusted certification authority, for any group of certificates.

Login to Infinicenter Console

Login to Infinicenter Console.

id="DefaultAuth"Select the Default Authentication Type

Select the Default Authentication Type for the organization.

Administer Users' Authentication Type

In addition to setting the default authentication type for the organization, you can Administer Users' Authentication Type from the Users tab.