Policy Server Guides › Policy Server Configuration Guide › Troubleshooting SSL Authentication Schemes › Certificate-based Authentication Tests › After Following Previous Procedure, Still No Certificate Prompt › Verify That All Netscape Browsers Are Configured to Ask Every Time

Verify That All Netscape Browsers Are Configured to Ask Every Time

Netscape browsers can be configured to pass the same certificate automatically. This establishes the SSL connection using a certificate without prompting users to select a certificate.

To verify that all Netscape browsers are configured to ask every time

1. In the Netscape Browser, select Security from the tool bar.
2. Select Navigator.
3. In the Certificates to Identify You to a Web Site section, be sure it is set to Ask Every Time in the drop-down box.

Verify That All Web Servers Are Configured to Use SSL and Require Certificates

For Netscape Web Servers

1. In the Netscape Server Administration, click Admin Preferences.
2. Click Encryption On/Off and verify that the encryption is on, then click OK.
3. Click Encryption Preferences and verify that Required Certificates is set.
4. Restart the Web Server.

For IIS Web Servers

Verify that the virtual directories SMGetCredCert, SMGetCredCertOptional, SMGetCredNoCert are created and have the correct settings.

• SMGetCredCert - Require Certificates will be selected
• SMGetCredCertOptional - Accept Certificates will be selected
• SMGetCredNoCert - Do not accept certificates will be selected

Note: As part of the SiteMinder SSL Authentication setup, SiteMinder configures SSL virtual directories based on the type of SSL connection required by the authentication scheme.

Verify the Following Settings for each SiteMinder Virtual Directory

To verify the following settings for each SiteMinder Virtual Directory

1. In the Management Console, right-click a virtual directory and select Properties.
2. Click the Directory Security tab.
3. Click Edit Secure Communications.

For Apache Web Servers

In the httpd.conf file, be sure to set SSLVerifyClient as follows:

• For Basic over SSL: SSLVerifyClient none
• For Certificate or Basic: SSLVerifyClient optional
• For Certificate/Certificate and Basic: SSLVerifyClient require

  Note: For Apache Web servers where Certificates are required or optional, the "SSL Verify Depth 10" line in the httpd.conf file must be uncommented.

Check the Web Server’s Certificate Expiration

Netscape Servers

1. In the Netscape Server Administration, click Keys & Certificates.
2. Click Manage Certificates.
3. Click ServerCert.
4. Verify that it is trusted, and has not expired. If it does not exist, or has expired, you will need to request a new certificate by following the steps in Install the Netscape Web Server Certificate.

IIS Servers

1. In the Management Console, right-click the Web Server and select Properties.
2. Click the Directory Security tab.
3. In the Secure Communications panel, click Key Manager.
4. Select a key to view its properties and verify that the key has not expired.
5. If you need to make any changes, restart the Web Server.

Apache Servers

If an Apache Web Server certificate expires, you will receive an error messages at server startup that indicates the certificate has expired.