Enabling X.509 authentication - BlueCat Integrity - 26.1.0

How to enable X.509 authentication.

1. Select the Settings tab in the sidebar.
2. Under System security, select Web access.
3. Set the following parameters:
   Note: When replication is configured between Address Manager servers, web access settings for primary and standby servers are represented on separate tabs.

   • HTTPS enabled—select the checkbox to enable HTTPS.
   • X509 authenticator—select an X.509 authenticator previously added to Address Manager. For more information, refer to X.509 authentication.
4. Under Server certificate settings, select Set custom certificates.
5. Complete the following:
   • Use previously configured private key—select to use the previously configured private key stored in the Address Manager database.
     Note: Deselect this check box only if you want to upload a new private key. Address Manager will warn you that uploading a new private key will overwrite the key already stored in the Address Manager database.
   • Upload private key—use the upload box to select or drag and drop the private key file (<common_name>.key) associated with the server certificate on your local machine or workstation.
     Attention:

     • The private key must comply with PKCS #8 standards.
     • The private key must be in PEM format and must only contain one key. It can't contain multiple keys or certificates. You can validate the key using openssl and the following command (if there's no password, omit the --passin pass:<password> parameter):

       openssl rsa -noout -modulus -in <private key file> --passin pass:<password>

       If the beginning of the output contains Modulus=, the key is valid.

   • Password—enter an alphanumeric password to secure your private key.
   • Upload domain signed certificate—use the upload box to select or drag and drop the signed server certificate (<common_name>.crt) on your local machine or workstation.
     Attention: The certificate must be in PEM format and must only contain one certificate. It can't contain multiple certificates or keys. You can validate the certificate using openssl and the following command:

     openssl x509 -noout -modulus -in <certificate file>

     If the beginning of the output contains Modulus=, the key is valid.

   • Upload intermediate bundle certificate—use the upload box to select or drag and drop the associated CA certificate bundle (<common_name>.ca-bundle) on your local machine or workstation. The CA certificate bundle must include the root and any intermediary CA certificates required to authenticate the CA signature of the server certificate.
     Attention: The bundle must be in PEM format, and must only contain one root certificate and the chain of intermediate certificates that match the domain certificate. You can validate the bundle using openssl and the following command:

     openssl x509 -noout -modulus -in <bundle file>

     If the beginning of the output contains Modulus=, the key is valid.

6. In the Change control section, add comments if required.
7. Select Update web access settings. The Address Manager server will be temporarily unavailable as the changes are committed and the server restarts.