$ cat issuing-ca-1.pem issuing-ca-2.pem > issuing-cas.pem
Twistlock supports certificate-based authentication for the Console UI and the API.
Twistlock has always provided username / password based authentication. In addition to that, Twistlock also supports certificate based authentication for the Console UI and the API. This is especially useful for those in government and financial services, who use multi-factor authentication technologies built on x.509 certificates. This is applicable to users authenticating via Active Directory accounts as well. This feature allows customers to be able to control the trusted CAs for signing certificates for authentication.
This procedure shows you how to set up Twistlock for certificate-based authentication.
If you’re using certificates to authenticate against Active Directory accounts, Twistlock uses the UserPrincipalName field in the SAN to match the certificate to the user in Active Directory. This is the same process used by Windows clients for authentication, so for most customers, the existing smart card certificates you’re already using can also be used for authentication to Twistlock. |
Save the CA certificate(s) used to sign the certificates that you’ll use for authentication to Twistlock.
The certificate has to be in PEM format. If you have multiple CAs that issue certificates to your users, concatenate their PEM files together. For example, if you have Issuing CA 1 and Issuing CA 2, create a combined PEM file like this:
$ cat issuing-ca-1.pem issuing-ca-2.pem > issuing-cas.pem
Log into Console, and go to Manage > Authentication > System Certificates.
Set Advanced certificate configuration to Show.
Scroll down to Console Authentication, and upload your CA certificate(s) in PEM format.
Click Save.
Open Console login page in your browser. When prompted select your user certificate.
See Assigning roles to learn how to add users and assign roles to them.