Authentication Using Client Certificates, Part 2
Setup client certificates to enable client certificate handling using a CLI or REST API, configure the client certificate, and add authorization using root certificates.
Join the DZone community and get the full member experience.Join For Free
Enable Client Certificates With the CLI or REST API
Use the above code where
settings.json contains a JSON object with the state set to either
mandatory and has a triple prefix as described in the previous article. The prefix is an array of these fields. Using the examples in Part 1 of this article, the following is how
settings.json might look:
We can also use the REST API to do the same.
Configuring the Client Certificates Using Root Authorization
These steps are pretty similar to how we setup the certificates in another DZone article: https://dzone.com/articles/authentication-using-server-side-x509-certificates
We first need to create a private key using OpenSSL:
openssl genrsa -out client.key 2048 2>/dev/null
Next, we need to create a certificate signing request (CSR). A CSR is a request sent from an applicant to a CA to apply for a certificate. You can customize it by adding to or limiting the capabilities of the X.509 certificate using an extension file:
For an extensive list of all the standard extensions, see section 4.2 of RFC 5280 on the X509 PKI and CRL profile - https://tools.ietf.org/html/rfc5280.
Now we need to generate the client certificate:
ca.key represent the root certificate's private and public keys as generated here (while setting up the X509 server certificates).
Use the certificate to authenticate client requests.
For more information or details on configuring client certificates for multiple clients and using the intermediate certificate to configure your client certificate visit Couchbase's docs - Managing Certificates.
Opinions expressed by DZone contributors are their own.