Client Certificate Authorizer

Requires client certificate authentication and requires a rule matching one of the fields of the client's certificate in the Worker's authorization list. The certificates must be in the application server trust store. Authorized clients are configured manually using the SignClient interface.

Configuring the Worker

To use the Client Certificate Authorizer, set the AUTHTYPE of the Worker to CLIENTCERT. See Authorization Type Properties.

Authorization-related commands are used to configure the client authorization rules for a Worker when the Client Certificate Authorizer is used as AUTHTYPE.

For information on how to list, add, and remove rules in the Admin Web, see the Worker Authorization Page.

Using the AdminCLI

In the Administration CLI, use the authorizedclients command to add, remove, or list the client authorization rules on a Worker.

Usage: signserver authorizedclients -worker <worker name or ID> -list 
       signserver authorizedclients -worker <worker name or ID> <-add/-remove> 
          -matchSubjectWithType <SUBJECT_MATCH_TYPE> -matchSubjectWithValue <value> \
          [-matchIssuerWithType <ISSUER_MATCH_TYPE>] -matchIssuerWithValue <issuer DN> \
          [-description <textual description>]
       signserver authorizedclients -worker <worker name or ID> <-add/-remove> \
          -matchSubjectWithType <SUBJECT_MATCH_TYPE> \
          [-matchIssuerWithType <ISSUER_MATCH_TYPE>] \
          [-description <textual description>] \
          -cert <PEM file>

Supported values for -matchSubjectWithType:

Type

Description

CERTIFICATE_SERIALNO

Serial number of the certificate.

SUBJECT_RDN_CN

Common Name (CN) RDN in textual representation from Subject DN.

SUBJECT_RDN_SERIALNO

Serial number (serialNumber/SN) RDN in textual representation from Subject DN.

SUBJECT_RDN_C

Country (C) RDN in textual representation from Subject DN.

SUBJECT_RDN_DC

Domain Component (DC) RDN in textual representation from Subject DN.

SUBJECT_RDN_ST

State or Province (ST) RDN in textual representation from Subject DN.

SUBJECT_RDN_L

Locality (L) RDN in textual representation from Subject DN.

SUBJECT_RDN_O

Organization (O) RDN in textual representation from Subject DN.

SUBJECT_RDN_OU

Organizational Unit (OU) RDN in textual representation from Subject DN.

SUBJECT_RDN_TITLE

Title (title) RDN in textual representation from Subject DN.

SUBJECT_RDN_UID

Unique ID (UID) RDN in textual representation from Subject DN.

SUBJECT_RDN_E

E-mail address in DN (E) RDN in textual representation from Subject DN.

SUBJECT_ALTNAME_RFC822NAME

RFC822Name Subject Alternative Name.

SUBJECT_ALTNAME_MSUPN

MS UPN Subject Alternative Name.

Supported values for -matchIssuerWithType:

Type

Description

ISSUER_DN_BCSTYLE

Issuer DN in textual EJBCA/BC DN style.

For more information on the authorizedclients command, see Authorization Commands.

Examples

Example 1:

signserver authorizedclients -worker CMSSigner -list

Example 2:

signserver authorizedclients -worker CMSSigner -add 
 -matchSubjectWithType SUBJECT_RDN_CN -matchSubjectWithValue "Client One"
 -matchIssuerWithValue "CN=AdminCA1, C=SE"

Example 3:

signserver authorizedclients -worker CMSSigner -add 
 -matchSubjectWithType SUBJECT_RDN_CN -matchSubjectWithValue "Client One"
 -matchIssuerWithType ISSUER_DN_BCSTYLE -matchIssuerWithValue "CN=AdminCA1, C=SE" -description "my rule"

Example 4:

signserver authorizedclients -worker CMSSigner -add 
 -matchSubjectWithType CERTIFICATE_SERIALNO -matchIssuerWithType ISSUER_DN_BCSTYLE 
 -cert /tmp/admin.pem

Example 5:

signserver authorizedclients -worker CMSSigner -remove 
 -matchSubjectWithType CERTIFICATE_SERIALNO 
 -matchIssuerWithType ISSUER_DN_BCSTYLE 
 -cert /tmp/admin.pem