Validation of enrolled certificates possible?


Remark: Split the links to comply with the user rules for new users.

I’m currently working with privacyIDEA and evaluate it. So far, the richness of its features is very pleasing.

One of those features is the enrollment of X.509 certificates. Up until now, however, I was not able to get the validation to work. I stumbled upon https:// github. com/privacyidea/privacyidea/wiki/concept:-certificates:-authentication, https:// github. com/privacyidea/privacyidea/wiki/concept%3A-certificates, as well as https:// github. com/privacyidea/privacyidea/issues/24. In the last, the implementation of a validate/check-interface was still open. The issue has been closed, which lead to the assumption that it would work. However, after looking through the documentation, I could not find a way to check a certificate.

What I did:

  • Create a local CA (using the easy setup; refer to http:// privacyidea.readthedocs. io/en/latest/configuration/caconnectors.html?highlight=certificate%20enrollment#easy-setup)
  • Enroll a certificate, generating the key on the server and downloading the pkcs12-file
  • Import that pkcs12-file in the client’s browser
  • Visit (with that browser) /validate/check?user=bla&pass=&realm=bla2 (note, pass= is empty, because I thought it would trigger something like a challenge, similar to the SMS-Token)

Sadly, that did not work out.

Could you/anyone elaborate on the process of validation with certificates. Is that possible? If yes, how? I would be very glad to integrate certificates in the self-service portal. It would greatly reduce the time for rolling out and securing, while preserving security.

With kind regards,

Authentication with certificates is not implemented. (Checkbox is in #24 is not checked).
So you can enroll the certificates with privacyIDEA; but you need to use the certificates with the corresponding application.