When you set up an X.509 contract for mutual SSL authentication, you must ensure that the Identity Server trust store (NIDP-truststore) contains the trusted root from each CA that has signed the client certificates. If a client has a certificate signed by a CA that is not in the NIDP-truststore, authentication fails.
To add a certificate to the NIDP-truststore:
In the Administration Console, click
> > > .Click either
or and follow the prompts.