Skip to main content

Authenticating to the GUI Using Certificates

As an alternative to password-based authentication, Key Manager administrators can authenticate to the Key Manager GUI using SSL certificates. When a Key Manager administrator has configured certificate authentication, the admin's browser presents their client certificate to the Key Manager front end server, after which the Key Manager admin is logged in without the need to input their user name or password (though they will need to input a passphrase if their client key is encrypted). Certificate authentication resembles public-key authentication in SSH connections, where the user's SSH client presents a public key to allow the user remote access.

note

To set up certificate authentication. The server certificates on your Key Manager front ends must use trusted certificates, which have been signed by your corporate or external CA. For more information about setting up trusted certificates on Key Manager front ends, see the Key Manager Installation Manual.

To enable certificate authentication, you will need to acquire the following certificate files:

  • client key
  • client certificate
  • CA certificate

To acquire the certificate files:

  1. Create a private key for the client:

    # openssl genrsa -out client.key 2048

    This generates the client key client.key to the current working directory. Note that the key generated by the command is unencrypted: the admin will not need a passphrase to log in. If you want to create an encrypted key instead, you can instead use a command like the following (replace passphrase with the desired passphrase):

    # openssl genrsa -out client.key -passout passphrase -des3 2048

  2. To obtain the client certificate and the CA certificate, you must generate a Certificate Signing Request (CSR) (replace adminuser with the name of the Key Manager account you want to log in as):

    # openssl req -subj '/CN=adminuser' -key client.key \
    -new -out client.csr

    This generates the CSR client.csr to the current working directory.

  3. If your front-end-server certificates were provided by an external CA, send the CSR to your CA. Your CA should then provide you with the client certificate file, and the CA-certificate file.

  4. Install the client key and the client certificate to your browser. For specific instructions about achieving this, please consult the vendor documentation for your browser.

    tip

    In most browsers, it is more convenient to install the client key and the client certificate as a PKCS 12 envelope. You can use openssl to create the envelope. F

    For unencrypted client keys, the command is:

    # openssl pkcs12 -export -out client.pfx -inkey client.key \
    -in client.crt -certfile ca.crt

    And for encrypted keys, the command is:

    # openssl pkcs12 -export -out client.pfx -inkey client.key \
    -in client.crt -passin passphrase -certfile ca.crt

    In the above commands replace the example values as follows:

    • client.pfx: The path where you want the envelope to be generated.

    • client.key: The path of the client key.

    • client.crt: The path of the client certificate.

    • ca.crt: The path of the CA certificate.

    • passphrase: The passphrase of the client key.

    You can then import the generated PKCS 12 envelope to your browser.

  5. Optional: Test that certificate authentication works by contacting a Key Manager front end, using the browser where you installed the certificates.