Authenticating With Certificates; When To Use Certificate Authentication; Configuring Epolicy Orchestrator For Certificate Authentication - McAfee EPOCDE-AA-BA - ePolicy Orchestrator - PC Product Manual

7 Configuring advanced server settings

Authenticating with certificates

Authenticating with certificates
Client-side certificate authentication allows a client to use a digital certificate as their authentication
credentials when logging on to an ePolicy Orchestrator server.
This chapter details how and when certificate authentication should be used.
Contents

When to use certificate authentication

Configuring ePolicy Orchestrator for certificate authentication

Uploading server certificates
Removing server certificates
Configuring users for certificate authentication
Problems with certificate authentication
When to use certificate authentication
Certificate authentication is the most secure method available. However, it is not the best choice for all
environments.
Certificate authentication is an extension of public-key authentication. It uses public keys as a basis,
but differs from public-key authentication in that you only need to trust a trusted third party known as
a certification authority (or CA). Certificates are digital documents containing a combination of identity
information and public keys, and are digitally signed by the CA who verifies that the information is
accurate.
Advantages of certificate-based authentication
Certificate-based authentication has a number of advantages over password authentication:
• Certificates have predefined lifetimes. This allows for a forced, periodic review of a user's
permissions when their certificate expires.
• If a user's access must be suspended or terminated, the certificate can be added to a certificate
revocation list, or CRL, which is checked on each logon attempt to prevent unauthorized access.
• Certificate authentication is more manageable and scalable in large institutions than other forms of
authentication because only a small number of CAs (frequently only one) must be trusted.
Disadvantages of certificate-based authentication
Not every environment is best for certificate-based authentication. Disadvantages of this method
include:
• A public-key infrastructure is required. This can add additional cost that in some cases may not be
worth the additional security.
• Additional overhead in maintaining certificates is required when comparing to password-based
authentication.
Configuring ePolicy Orchestrator for certificate authentication
Before users can log on with certificate authentication, ePolicy Orchestrator must be configured properly.
Before you begin
You must have already received a signed certificate in P7B, PKCS12, DER, or PEM format.
®
58 McAfee ePolicy Orchestrator
®
4.6.0 Software Product Guide