220.127.116.11. Certificate Token¶
Starting with version 2.3 privacyIDEA supports certificates. A user can
submit a certificate signing request (including an attestation certificate),
upload a certificate or
he can generate a certificate signing request in the browser.
privacyIDEA does not sign certificate signing requests itself but connects to existing certificate authorities. To do so, you need to define CA Connectors.
Certificates are attached to the user just like normal tokens. One token of type certificate always contains only one certificate.
If you have defined a CA connector you can upload a certificate signing request (CSR) via the Token Enroll Dialog in the WebUI.
You need to choose the CA connector. The certificate will be signed by the CA accordingly. Just like all other tokens the certificate token can be attached to a user.
18.104.22.168.1. Generating Signing Requests¶
You can also generate the signing request directly in your browser.
This uses the keygen HTML-tag that is not supported by the Internet Explorer!
When generating the certificate signing request this way the RSA keypair is generated on the client side in the browser.
The certificate is signed by the CA connected by the chosen CA connector.
Afterwards the user can install the certificate into the browser.
By requiring OTP authentication for the users to login to the WebUI (see login_mode) you can have two factor authentication required for the user to be allowed to enroll a certificate.