New sets of certificate authentication parameters can be created by selecting Settings → Admin Authentication → Certificate authentication parameters and clicking the Add new button.
Certificate authentication parameters consist of the following editable fields:
This field allows you to give certificate authentication parameters a descriptive name. This is the name seen in the Certificate parameters drop-down menu when you edit the Authentication settings.
- CA certificate
This is the trusted CA certificate. You can either upload a certificate (if none is defined yet), or delete an existing CA certificate.
- Disable CRL checking
This field defines whether CRL checking is disabled when using these parameters. Note that this affects all certificates. For example, if the CA certificate is a top-level certificate, then CRL checking is disabled also from all intermediate CAs.
A mapping is required to map a TLS client certificate to an admin account. Certificates themselves provide only authentication, you still have to configure the authorization part which these mappings provide.
Each mapping is of a specific type (see the list below) and matches certain fields in a certificate to map it to an admin account name. The Match field determines the values or patterns to check for. The User field can either be a real admin account name or a substring of the matched certificate field value (for E-mail address match and Subject name match mapping types).
The mappings are ordered, and are evaluated from top to down. The first mapping which matches the certificate determines the admin account name that will be used with the certificate.
There are six possible mapping types, which identify the admin account from the certificate in different ways:
E-mail address: Matches the certificate E-mail field to the given e-mail address.
Subject name: Matches the certificate Subject name to the given subject name. Note that the subject name has to be given in the X.509 order, for example,
"C=FI, O=SSH, CN="Admin", instead of the LDAP order, which is the reverse of the X.509 order.
Serial number: Matches the certificate serial number to the given number. Important: This will match the serial number of the certificate without tying it to a particular CA. If you use intermediate CAs, do not use this method.
Serial number with given issuer: Matches the certificate serial number and issuer to the given values.
E-mail address match: Matches the certificate e-mail address with a given regular expression. The admin account may contain references to the regular expression's sub-matches. For example, the regular expression could be
(.*)@some\.company$and the account name
\1in which case a certificate with the e-mail address
firstname.lastname@example.org map to admin account
Subject name match: Matches the certificate subject name with a given regular expression. The admin account may contain references to the regular expression's sub-matches. For example, the regular expression could be
CN=([a-z]+)and the account name
\1in which case a certificate with e-mail address
OU=Testing, CN=joewould map to admin account
To add a new mapping, select its type from the drop-down list and click Add. You can edit a mapping by clicking on its Edit button. If you have clicked Edit on a mapping line, you can then also move the line in the list with the Up and Down buttons. To delete a mapping, click Delete.