Certificate Based Authentication

The CipherTrust Manager authenticates a user's login request by verifying the username and password against its internal database. The CipherTrust Manager can also be configured to authenticate login requests using browser-based web certificates. This section elaborates upon the steps that you need to perform to enable Certificate based Authentication for logging in the CipherTrust Manager.

Step 1: Enable the "Certificate based Login" Option for a User

1. Log on to CipherTrust Manager as an administrator. Navigate to Keys & Access management > Users.

2. Enable the "Certificate based Login" option for the user:

   Specifying a Common Name (CN) is mandatory for this feature to work. The entities must be specified carefully in this field, and separated by commas (,).
   For example:
   O=Thales,OU=CipherTrust,CN=User_1
   If Distinguished Name (DN) field contains values that are separated by comma, then those values must be followed by a backslash (\).

   Caution

   For example:
   C=IN,ST=UP,L=Noida,O=CompanyName\,INC,OU=ENC,CN=test

   • For existing users:

     1. Click the action button for that user, then click Manage.

     2. Click CONFIGURE CERTIFICATE LOGIN. Select Allow user to login using certificate.

     3. Specify Certificate Subject Distinguished Name for the user.

     4. Click Update Certificate Login.

   • For new users:

     1. Click Create New User. Specify Username and Password for the user.

     2. Select Allow user to login using certificate.

     3. Specify Certificate Subject Distinguished Name for the user.

     4. Click Create.

Step 2: Create and Download the Web Certificate

If using Local CA

1. Go to Keys & Access Management > CA.

2. Click Local Certificate Authority, and then click Create New Certificate.

   1. Enter the Common Name for this certificate.

      Note

      This common name should be the same common name that was specified while creating the user ("User_1" in previous example).

   2. Select desired algorithm (RSA or ECDSA).

   3. In the Name field, specify the same details that were specified in the certificate_subject_dn property of the user.

   4. Click New Certificate, then click Save Private Key. The Save As window opens up.

   5. Save the key (.pem file) in a secure location on your system.

   6. Click Issue Certificate. The newly created certificate is now displayed in the certificate list.

3. Download this certificate, and save it in the same location where the Private Key is saved.

If using External CA

1. Upload the external CA.

2. Navigate to Admin Settings > System > Interface. The Interface Configuration page is displayed.

3. Click the action button on the Web Interface Configuration, select Edit.

4. Add the new external CA in the External Trusted CAs section. Click Update.

5. Navigate to Admin Settings > System > Services.

6. Restart the web service.

   Note

   Restarting the web service can take few seconds.

Step 3: Create and Install pkcs12 Formatted Certificate

1. Install OpenSSL on your machine.

2. Use the following command to convert the key and certificate into a pkcs12 formatted .pfx file:

   openssl pkcs12 -export -out example.pfx -inkey key.pem -in certificate.pem
   

   Where:

   • key.pem is the private key

   • certificate.pem is the certificate file

   • example.pfx is the pkcs12 formatted web certificate that will be installed in the web browser

   This creates a .pfx certificate (example.pfx in the above command) at the same location.

3. Go to the web browser's settings.

4. Import and install the .pfx certificate.

You can now use the web certificate for logging on to CipherTrust Manager. Before logging on, you will be prompted to select the web certificate at the login page.