Skip to main content
Version: Axidian Privilege 3.4

X.509 Certificate

An X.509 certificate is a digital document for verifying users, servers, devices, or websites. The certificate uses a Public Key Infrastructure (PKI) and contains owner information, a public key, and a digital signature from the CA validating the certificate's authenticity.

During authentication, Axidian Privilege verifies the certificate and compares the Distinguished Name (DN) value extracted from the Subject field in the certificate with the Subject value of the user in PAM. If the values match, the user logs in the Axidian Privilege console.

To set up X.509 certificate authentication:

  1. Prepare X.509 certificates according to the requirements and place them in the host certificate store.
  2. Select the certificate authentication mode.
  3. Add the certificate Subject value for users in Axidian Privilege.
    Each user must have a unique Subject.
  4. Open the user or administrator console and authenticate using the X.509 certificate.
info

Proxy components do not support certificate authentication.
To access resources, enable the Session opening without re-authentication and/or SSH key authentication options.

Certificate requirements

  • A valid certificate in .cer, .crt, .pem, or .der format.
  • The certificate is signed by a root certificate or an issuing CA certificate.
  • The Subject field specifies the DN in RFC 4514 format.
    Example: CN=John Smith,OU=Development,O=Company,C=US.

Configuration setup

To enable X.509 certificate authentication:

  1. In the admin console, go to ConfigurationUser Authentication.

  2. For the Certificate authentication parameter, select the mode:

    • Enabled (optional) — users can log in using a certificate or a username and password.

    • Mandatory for users with specified certificate Subject — users with a specified certificate Subject can log in only using a certificate. Other users log in via login and password.

    • Mandatory for all users — console login is only possible using a certificate.

      caution

      When selecting the Mandatory for all users mode, ensure that users have the Subject field filled in correctly, otherwise they will not be able to log into the console.

  3. Click Save.

Adding a certificate Subject

info

To add a Subject value for a user, the administrator must have the Manage X.509 certificate Subject for users claim.

Specify the Subject value for all users with X.509 certificate authentication enabled. If Subject is not set or entered incorrectly, the user will not be able to log into the console.

To add a certificate Subject:

  1. In the admin console, go to the Users section.

  2. Open the user profile and go to the Authenticators tab.

  3. Next to the Subject field, click    and select one of the options:

    • Paste manually — enter the certificate Subject value.

      Example
      Single line, comma-separated
      CN=John Smith,OU=Development Department,O=Company
      Multiline
      CN=John Smith
      OU=Development Department
      O=Company

    • Upload certificate — select and upload a certificate in .cer, .crt, .pem, or .der format.
      If the certificate is correct, the recognized Subject value will be displayed.

  4. Click Save.

Console login

info

If the certificate is incorrect or expired, restart the browser and choose a different certificate.

  1. Open the user or administrator console.
  2. In the window that appears, select the correct X.509 certificate and click OK.