Requires client certificate authentication and requires a rule matching one of the fields of the client's certificate in the Worker's authorization list. The certificates must be in the application server trust store. Authorized clients are configured manually using the SignClient interface.
Configuring the Worker
To use the Client Certificate Authorizer, set the AUTHTYPE of the Worker to CLIENTCERT. See Authorization Type Properties.
Authorization-related commands are used to configure the client authorization rules for a Worker when the Client Certificate Authorizer is used as AUTHTYPE.
For information on how to list, add, and remove rules in the Admin Web, see the Worker Authorization Page.
Using the AdminCLI
In the Administration CLI, use the authorizedclients command to add, remove, or list the client authorization rules on a Worker.
Usage: signserver authorizedclients -worker <worker name or ID> -list
signserver authorizedclients -worker <worker name or ID> <-add/-remove>
-matchSubjectWithType <SUBJECT_MATCH_TYPE> -matchSubjectWithValue <value> \
[-matchIssuerWithType <ISSUER_MATCH_TYPE>] -matchIssuerWithValue <issuer DN> \
[-description <textual description>]
signserver authorizedclients -worker <worker name or ID> <-add/-remove> \
-matchSubjectWithType <SUBJECT_MATCH_TYPE> \
[-matchIssuerWithType <ISSUER_MATCH_TYPE>] \
[-description <textual description>] \
-cert <PEM file>
Supported values for -matchSubjectWithType:
|
Type |
Description |
|---|---|
|
|
Serial number of the certificate. |
|
|
Common Name (CN) RDN in textual representation from Subject DN. |
|
|
Serial number (serialNumber/SN) RDN in textual representation from Subject DN. |
|
|
Country (C) RDN in textual representation from Subject DN. |
|
|
Domain Component (DC) RDN in textual representation from Subject DN. |
|
|
State or Province (ST) RDN in textual representation from Subject DN. |
|
|
Locality (L) RDN in textual representation from Subject DN. |
|
|
Organization (O) RDN in textual representation from Subject DN. |
|
|
Organizational Unit (OU) RDN in textual representation from Subject DN. |
|
|
Title (title) RDN in textual representation from Subject DN. |
|
|
Unique ID (UID) RDN in textual representation from Subject DN. |
|
|
E-mail address in DN (E) RDN in textual representation from Subject DN. |
|
|
RFC822Name Subject Alternative Name. |
|
|
MS UPN Subject Alternative Name. |
Supported values for -matchIssuerWithType:
|
Type |
Description |
|---|---|
|
|
Issuer DN in textual EJBCA/BC DN style. |
For more information on the authorizedclients command, see Authorization Commands.
Examples
Example 1:
signserver authorizedclients -worker CMSSigner -list
Example 2:
signserver authorizedclients -worker CMSSigner -add
-matchSubjectWithType SUBJECT_RDN_CN -matchSubjectWithValue "Client One"
-matchIssuerWithValue "CN=AdminCA1, C=SE"
Example 3:
signserver authorizedclients -worker CMSSigner -add
-matchSubjectWithType SUBJECT_RDN_CN -matchSubjectWithValue "Client One"
-matchIssuerWithType ISSUER_DN_BCSTYLE -matchIssuerWithValue "CN=AdminCA1, C=SE" -description "my rule"
Example 4:
signserver authorizedclients -worker CMSSigner -add
-matchSubjectWithType CERTIFICATE_SERIALNO -matchIssuerWithType ISSUER_DN_BCSTYLE
-cert /tmp/admin.pem
Example 5:
signserver authorizedclients -worker CMSSigner -remove
-matchSubjectWithType CERTIFICATE_SERIALNO
-matchIssuerWithType ISSUER_DN_BCSTYLE
-cert /tmp/admin.pem