Using Certificate-Based Authentication; Configuring Flat File Authentication - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

has been configured to map the certificate correctly to a DN in the directory. This is needed
for PIN removal only.
• ldap.ldapAuthentication.authtype. Specifies the authentication type, basic authentication
or SSL client authentication, required in order to remove PINs from the authentication
directory.
• BasicAuth specifies basic authentication. With this option, enter the correct values for
ldap.ldapAuthentication.bindDN and password parameters; the server uses the DN
from the ldap.ldapAuthentication.bindDN attribute to bind to the directory.
• SslClientAuth specifies SSL client authentication. With this option, set the value
of the ldap.ldapconn.secureConn parameter to true and the value of the
ldap.ldapAuthentication.clientCertNickname parameter to the nickname of the
certificate to use for SSL client authentication.
• ldap.basedn. Specifies the base DN for searching the authentication directory; the server
uses the value of the uid field from the HTTP input (what a user enters in the enrollment
form) and the base DN to construct an LDAP search filter.
• ldap.minConns. Specifies the minimum number of connections permitted to the
authentication directory. The permissible values are 1 to 3.
• ldap.maxConns. Specifies the maximum number of connections permitted to the
authentication directory. The permissible values are 3 to 10.
Click OK.
f.
4. Customize the enrollment forms by configuring the inputs in the certificate profiles. Include the
information that will be needed by the plug-in to authenticate the user. If the default inputs do not
contain all of the information that needs to be collected, submit a request created with a third-party
tool.

9.2.3. Using Certificate-Based Authentication

Certificate-based authentication is when a certificate is presented that verifies the identity of the
requester and automatically validates and authenticates the request being submitted. This is most
commonly used for renewal processes, when the original certificate is presented by the user, server,
and application and that certificate is used to authenticate the request, as illustrated in
"Certificate-Based Renewal
There are other circumstances when it may be useful to use certificate-based authentication for initially
requesting a certificate. For example, tokens may be bulk-loaded with generic certificates which are
then used to authenticate the users when they enroll for their user certificates or, alternatively, users
can be issued signing certificates which they then use to authenticate their requests for encryption
certificates.
The certificate-based authentication module, SSLclientCertAuth, is enabled by default, and this
authentication method can be referenced in any custom certificate profile.

9.2.4. Configuring Flat File Authentication

A router certificate is enrolled and authenticated using a randomly-generated PIN. This PIN is
recognized already by the RA, so submitting a router request to the RA is automatically approved.
Profile".
Using Certificate-Based Authentication
Example 4.5,
241