Generate a client certificate, for example with OpenSSL or Active Directory, which is signed by the root certificate. The client certificate must include a SubjectAltName (SAN) section with the email addresses of the clients. This is used to check if a particular user exists in the LDAP database. This client certificate must be imported in the clients’ browser.

Note: Please import the certificate in the Personal tab of the browser certificate settings.