Certificate Based Authentication for Users

The CipherTrust Manager authenticates a user's login request by verifying the username and password against its internal database. The CipherTrust Manager can also be configured to authenticate login requests using browser-based web certificates. This section elaborates upon the steps that you need to perform to enable Certificate based Authentication for logging in the CipherTrust Manager.

Step 1: Enable the "Certificate based Login" Option for a User

1. Log on to CipherTrust Manager as an administrator. Navigate to Access Management > Users.

2. Enable the "Certificate based Login" option for the user:

   Note

   For certificate based login to work in any domain for a user:

   1. Add the domain issuer CA of that user certificate as an external CA in the root domain. Ensure the user_authentication for that CA is enabled.

   2. Add this CA to the list of Trusted CAs of the Web interface in the root domain.

   3. Restart the web service (Admin Settings --> Services).

   Note

   The CipherTrust Manager supports fields such as Domain Component (DC) and Given Name (GN) in the Distinguished Name for certificate-based login. Local CAs do not support the DC and GN fields, so they cannot issue certificates with these fields. Use external CA for issuing certificates with DC and GN fields.
   Example:
   DC=DomainComponent,C=IN,ST= State,L=Location,O=Thales,OU=CipherTrust,GN=GivenName,CN=CommonName

   Note

   For root domain users, the CipherTrust Manager doesn't have the option to pass the target domain from UI. The same is applicable for Password and Certificate based login. To pass the domain in user request, use API or curl.  

   For domain users, pass the auth_domain name in the Home Domain field.

   Specifying a Common Name (CN) is mandatory for this feature to work. The entities must be specified carefully in this field, and separated by commas (,).
   For example:
   O=Thales,OU=CipherTrust,CN=User_1
   If Distinguished Name (DN) field contains values that are separated by comma, then those values must be followed by a backslash (\).

   Caution

   For example:
   C=IN,ST=UP,L=Noida,O=CompanyName\,INC,OU=ENC,CN=test

   As per RFC 5280, a multivalued RDN (for instance - OU) should be arranged in a sorted order (using octet string sort), that is, the values with the shorter lengths should come first followed by a lexicographic sorting.
   

   Note

   All the certificates created by the CipherTrust Manager follow this arrangement.
   For example:
   While issuing certificate, if user provides the following subject DN as an input:
   O=Thales,OU=XipherTrust,OU=X,OU=CipherTrust,CN=User_1
   The issued certificate will have the subject DN set as:
   O=Thales,OU=X,OU=CipherTrust,OU=XipherTrust,CN=User_1

   • For existing users:

     1. Click the action button for that user, then click Manage.

     2. Click CONFIGURE CERTIFICATE LOGIN. Select Allow user to login using certificate.

     3. Specify Certificate Subject Distinguished Name for the user.

     4. Click Update Certificate Login.

   • For new users:

     1. Click Create New User. Specify Username and Password for the user.

     2. Select Allow user to login using certificate.

     3. Specify Certificate Subject Distinguished Name for the user.

     4. Click Create.

   Note

   If you select the checkbox Allow user to login using certificate only, it enables the certificate based authentication for logging in to the CipherTrust Manager. Consequently, the user will be restricted to login using browser-based web certificates. For more information, refer Creating a User through GUI.

Step 2: Create and Download the Web Certificate

If using Local CA

1. If using local CA , Go to CA > Local and select the desired CA. If CA doesn't exist, create a new CA.

2. Click Issue Certificate.

   1. Enter the Common Name for this certificate.

      Note

      This common name should be the same common name that you specified while creating the user.

   2. Select the desired algorithm (RSA or ECDSA).

   3. In the Name field, specify the same details that you specified in the certificate_subject_dn property of the user.

      Note

      If subject DN of a certificate and a CA are same then certificate is treated as a self signed certificate. However, the self signed certificates are not recognized by the Web UI of a CipherTrust Manager for certificate login.

   4. Click Issue Certificate.

   5. Click save private key to download the key.pem file.

   6. Click Issue Certificate. The newly created certificate is displayed in the certificates list.

3. Download the certificate issued by the local CA and save it at the same location where the private key is saved.

4. Add the CA to the list of Local Trusted CAs of the Web interface.

5. Restart the web service from the Admin Settings --> Services section. Restarting the web service can take few seconds.

If using External CA

1. Upload the external CA.

2. Navigate to Admin Settings --> Interfaces. The Interface Configuration page is displayed.

3. Click the action button on the Web Interface Configuration, select View/Edit.

4. Add the external CA to the list of External Trusted CAs of the Web interface.

5. Restart the web service from the Admin Settings --> Services section. Restarting the web service can take few seconds.

Step 3: Create and Install pkcs12 Formatted Certificate

1. Install OpenSSL on your machine.

2. Use the following command to convert the key and certificate into a pkcs12 formatted .pfx file:

   openssl pkcs12 -export -out example.pfx -inkey key.pem -in certificate.pem
   

   Where:

   • key.pem is the private key

   • certificate.pem is the certificate file

   • example.pfx is the pkcs12 formatted web certificate that will be installed in the web browser

   This creates a .pfx certificate (example.pfx in the above command) at the same location.

3. Go to the web browser's settings.

4. Import and install the .pfx certificate.

You can now use the web certificate for logging on to CipherTrust Manager. Before logging on, you will be prompted to select the web certificate at the login page.