Using Client Certificates

The Client Certificate authentication mechanism is a secure way of accessing protected resources on a server. In the authorization header, you provide the details of the client certificate. The server verifies the certificate and allows you to access the resources. When you use certificates as an authentication mechanism, then the user credentials are not stored in any location.

Note: As a security feature, it is recommended to use the client certificates that are protected with a passphrase.

On ESA, the Client Certificate authentication includes the following steps:

1. In the authorization header, you must provide the details, such as, client certificate, client key, and CA certificate.
2. The ESA retrieves the name of the user from the client certificate and authenticates it with the LDAP or AD.
3. After authenticating the user, the role of that user is validated:
   • If the role of the user is Security Officer, then the user can run read and write operations on the REST APIs.
   • If the role of the user is Security Viewer, then the user can only run read operations on the REST APIs.
4. On successful authentication, you can utilize the API services.

The following Curl snippet provides an example to access an API on ESA.

curl -k https://<ESA IP Address>/<path of the API> -X <METHOD> --key <client.key> --cert <client.pem> --cacert <CA.pem> -v --insecure

You must provide your certificate every time you access the REST APIs on ESA.

• ←Previous
• Next→