Summary

The article provides information about configuring the certificate-based login to the VA admin UI. This uses the browser's client authentication certificate as the mechanism for the certificate-based login.

Prerequisites

• A user certificate and the certificate of the issuing CA is needed.
• VA Server must be able to validate the user certificate.

Steps to configure the certificate-based login

Importing User Certificate (CAPI Store)

To import the user certificate into the Microsoft CAPI Store

• Open the Certificate Import Wizard by double clicking the pfx file
• Select the Store Location (i.e. Current User)
• Check and confirm the displayed file name
• Enter Private Key Password
• Click on Place all certificates in the following store
• Click on Browse and select Personal
• Click on Next and Finish

Configuring Validation Authority

1) Configure the user

• Login to Admin UI
• Click on User Settings
• Click on User Accounts
• Click on the Edit button of an existing user or create a new user
• Select Certificate-based
• Select “Create a new password for user:” (This is used for initial set up)Click on “Submit User Parameters”

2) Add the CA certificate that issued the user certificate into the VA certificate store

• Click on “Keys and Certificates”
• Click on “Certificates”
• Select “Trusted CAs for Client Authentication For Admin Server”
• Click on Submit
• Click on Add
• Select the import method and add the certificate to the store

NOTE:
This will also write the file adminserverca.crt to disk (Windows example: C:\ProgramData\Axway\VA\entserv\adminserverca.crt) and add the parameter SSLCACertificateFile to the httpd.conf file. Therefore, the VA admin service (Apache HTTP server) must be restarted. On Windows you must restart the Admin UI server from the services panel and on Linux you must use the apachectl command.

3) Configure VA Server to validate the user certificate

• Select User Settings -> General Settings
• Select “Enable OCSP Certificate Based Authentication”
• Click on Submit General User Data.
• Click on Start/Stop Server and restart the server.

4) Make sure VA Server can validate the user certificate

• Select CRLs -> CRLs & OCSP Databases
• Find the CA which issued the user certificate
• Make sure the CRL is available

Verification

• Go to VA Admin UI
• Select Certificate Authentication
• Click Login
• Enter initial set up username and password you put in the user account.

NOTE:
If you have more than one certificate in the personal certificate store of your browser it may pop up and show you the choices when you try to login the first time then after it will always use the selected certificate.

Troubleshooting

If the certificate-based login still does not work correctly you should check the following points:

1) Make sure TLS1.3 is not enabled in the httpd.conf file (see https://support.axway.com/en/articles/article-details/id/183170)

2) Import not only the certificate for the CA that issued the user certificate into the VA store “Trusted CAs for Client Authentication For Admin Server”, but add the complete certificate chain for that CA certificate too.