Setting up certificate authentication for API remote access

If you have access to the Venafi server you can also configure certificate authentication for API users in Venafi Configuration Console. For information, see Access Management.

If you have access to the Web SDK, you can modify these settings via the API Authorize and OAUTH endpoints. For example, to configure certificate authentication via API, see POST Authorize/Certificate

These steps do not configure your system to allow end users to use certificate authentication for the web console. That requires additional steps that are described in Setting up certificate authentication for web console.

There are two parts to setting up certificate authentication: first, you need to enable and configure it in Trust Protection Platform, and second, you need to configure Microsoft IIS Manager to accept it. For specific steps, see the following procedures.

  1. From the Platform menu bar, click APIDefault Settings.

  2. In the Authentication section, check the box for Certificate.

    Fields specific for certificate authentication are shown.

  3. In the Location field, select field on the X.509 certificate you want to use for matching users with your system's unique identities.

  4. In the Trusted certificate authorities field, select which CA(s) you want to use as trusted root CAs for issuing client certificates for authentication.

    Use the check boxes to select multiple CAs if needed.

  5. Click Save.

Now that Trust Protection Platform is configured to allow API users to authenticate with certificates, you need to configure some settings in IIS.

The VEDAuth server manages certificate authentication for remote Web SDK clients. Even though VEDAuth challenges the client for a certificate, IIS still requires anonymous authentication.

The VEDAuth server can manage both Username/Password and Certificate Authentication. However, do not mix these methods of authentication with Windows Authentication.

  1. Open Server Manager on the Venafi server.
  2. Click Tools.
  3. Click Internet Information Services (IIS) Manager.
  4. Navigate to Sites > Venafi VEDAuth.
  5. Click SSL Settings.

  6. Under Client Certificates, specify how to process authentication methods such as Username & Password, Integrated Windows Authentication, or Certificate:

    • Accept: Trust Protection Platform Authentication Server allows multiple authentication methods.

    • RequireTrust Protection Platform Authentication Server allows only certificate authentication.

  7. Click Apply.

  8. On the VEDAuth web site, click Authentication, and then enable Anonymous Authentication. For multiple authentication methods, enable Windows Authentication.

    IIS Certificate Auth page

  9. Configure additional certificate authentication settings as necessary. For more information, see Setting up access token authentication.