Installation and Upgrade > Advanced Deployment Considerations > Authentication > Configuring an Alternative Authentication in Windchill > SSL/TLS Client Authentication
  
SSL/TLS Client Authentication
There are many ways to handle SSL/TLS authentication. Handling it depends on the security requirements of a specific site. The following are the minimum requirements for achieving SSL/TLS client authentication:
A client certificate must be generated. This is an X.509 public/private certificate pair and is usually stored in a PKCS #12 archive file, which is sometimes referred to as a pkcs12 keystore. It may also be contained in many other keystore formats.
The web server must be configured for HTTPS. For more information, see Configuring HTTPS for PTC HTTP Server and Windchill.
The web server must be configured to verify the client SSL/TLS certificate using the client authentication (CA) certificate that signed the client certificate.
The web server must be configured to enforce SSL/TLS client certificate authentication.
The client must be capable of presenting the SSL/TLS client certificate to the server when challenged.
The SSL/TLS client certificate generation and CA certificates will vary on each site. To generate these certificates and obtain the correct CA certificates, consult with your local SSL/TLS experts. The CA certificate must be used to sign the SSL/TLS client certificate.
* 
Windchill SSL/TLS client authentication is not supported for the Safari browser on Mac OS.