User certificates instead of passwords?

qrkourier · February 23, 2022, 5:44pm

How do I issue a user certificate for the default admin user? I believe I can then use that certificate to login to the management API instead of a password.

Additionally, is there a way to disable password authentication and therefore require either:

a user certificate, or
an expiring session token?

If I understand correctly, this means I can use either a certificate or a password to obtain the session token for the management API and potentially share that token with another process by way of delegating temporary authority to act on my behalf, and that process will not need either the password nor certificate to use the session token until it expires.

andrew.martinez · March 2, 2022, 2:37pm

The Management API allows for the creation of authenticators directly.

You should be able to do:

POST /edge/management/v1/authenticators/
{
    "method": "cert",
    "identityId": "qNYyfJgHk>",
    "certPem": "-----BEGIN CERTIFICATE-----\n..."
}

Where certPem is a client certificate that has been signed by a known CA (1st or 3rd party). After ensuring the authenticator works, the password authenticator can be deleted via:

DELETE /authenticators/{id}

Topic		Replies	Views
Admin life cycle: from password to long-lived cert	6	206	March 7, 2023
Any API examples you can give that show session and payload	4	229	July 28, 2023
Management API authentication Support	41	702	August 24, 2023
Questions about edge-client certificate extension General Questions	11	175	October 13, 2024
Trying to understand how the edge-router "authenticates" edge-clients General Questions	4	39	October 24, 2024

User certificates instead of passwords?

Related topics