PKI authentication (Personal Certificate)

This topic describes Public Key Infrastructure (PKI) authentication, and how to configure PKI authentication for the PVWA.

Overview

PKI enables the use of certificates in order for servers and users to identify each other and establish a secure connection. Amongst other items, certificates contain encryption values, or keys, that are used for encrypting and ensuring the integrity of messages sent between the two parties.

The CyberArk Vault fits into your existing PKI by letting users utilize their personal certificate to authenticate to the Vault. In addition, users can optionally be required to provide password authentication when they log on to the Vault through the PVWA as another authentication method.

When a user logs on to the Vault using the PKI authentication method, the user and the Server establish a SSL (Secure Socket Layer) connection. During the SSL handshake, the parties exchange certificates and check their validity. They also check that the other party’s certificate was issued by a trusted CA (Certification Authority).

To authenticate to the Vault through the PrivateArk Client, CyberArk recommends implementing CyberArk password or LDAP authentication. However, if your organization requires PKI authentication through the PrivateArk Client, you can configure the Vault to authenticate users with a Vault certificate and private key. For more information, refer to Configure PKI authentication for the PrivateArk Client.

Configure PKI Authentication for the PVWA

During installation, the PVWA is automatically configured to support PKI authentication for users who select this authentication method. However, if these authentication configurations have been changed and the PVWA currently doesn’t support PKI authentication, you can configure it using the procedure in Configure PKI authentication for the PrivateArk Client.

Make sure that all users who are required to authenticate using PKI authentication exist in the Vault, whether they have been provisioned using LDAP integration or were created manually as CyberArk users.

Requirements

SSL Certificate – A web server certificate that has been certified by a Certificate Authority (CA).

Enable PKI authentication in the new PVWA interface

The PVWA's new interface that was released with version 10 can be displayed from version 9.8 and higher, for specific functionality. The following procedure describes how to configure PKI authentication in the new PVWA interface.

 

This can only be configured in version 9.8 and higher.

Test PKI Authentication in the PVWA

 

Make sure that your personal certificate is accessible. If your certificate is stored on an external hardware device, such as a Smart Card or a USB token, attach it to the computer before you try to log on

In the PVWA, in the list of available authentication methods, click pki; depending on your browser and the security configurations, either of the following scenarios will happen:
The PVWA will automatically locate the user’s certificate and log the user onto the Vault,

or,

A list of certificates will be displayed where the user can select a certificate and be logged on to the Vault.

Authenticate with PKIPN

In addition to authenticating users with the distinguished name that is specified in the client certificate, the PVWA can also authenticate users with the Principal Name property from the client certificate.