Breadcrumbs

Use Certificate-based Authentication

You can use certificate-based authentication when logging in to Signum using a certificate. Instead of authenticating with a username and password, you prove your identity using a cryptographic credential. Certificate authentication enables stronger security, automation, and integration.

To use certificate-based authentication in Signum, the Signum Administrator configures the users with a public key, certificate (.cer) file, and the users authenticate with a private key, PKCS#12 (.p12), file.

Step

Performed by

Occurence

Upload certificate to Admin Console

Admin

Once

Configure users with certificate

Admin

Per user

Install private key to local machine

User

Once

Configure the Agent to use certificate authentication

User

Per agent

Admin Setup

To perform these steps, you must have the Signum Adminstrator role.

Upload a certificate (.cer) file to the Admin Console and configure users with the certificate.

Upload Certificate to the Admin Console

  1. Navigate to Certificates page.

  2. Open the Client Auth Certificates tab.

    image-20260306-074418.png

  3. Click Upload.

  4. Upload chosen certificate.

For more information, see Client Auth Certificates.

Configure User Access with the Certificate

After uploading the file to the console, configure the users.

  1. In the Admin Console, go to the Access page.

  2. Under the Domain tab, click on the Domain Type Certificate users. If you do not already have this domain type created, click New to create.

  3. In the Edit Domain popup window, go to the Users tab:

    image-20241203-140522.png

  4. Click New.

  5. Under Signum Configurations, fill in username, name, and email:

    image-20260305-141119.png

  6. Under Client Certificate Chains, click Select Certificates:

    image-20260305-141352.png

  7. Choose the certificate to use for user authentication.

  8. Complete the user configuration as needed.

  9. If the user needs access to the Admin Web Console, make sure the user is assigned to the appropriate Role:

    image-20241203-152026.png


For further configuration information, see Certificate User Domains.

User Setup

To authenticate as a user, you need to install the private key, PKCS#12 (.p12) file, to your local machine, and configure the Agent with the file.

Install PKCS#12 File on the Local Machine

Put the certificate on the local disk, accessible by SignumService. It is recommend to put the certificate either in /tmp/ or /etc/keyfactor/.

The following example is using the Microsoft Current User Certificates store. On Mac, a similar process can be done for importing certificate to the keychain. See Add certificates to a keychain using Keychain Access on Mac. For Linux users, you must install the certificate directly to your browser. For an example with Firefox, see Import Certificate to Mozilla Firefox.

  1. On your local machine, locate the .p12 file.

  2. Open your certificates store or double-click on the certificate to open.

  3. Click Import Certificate:

    image-20241203-135419.png

  4. Create a password:

    image-20241203-135444.png

  5. Click Next.

  6. Select the Certificate store to place your certificate:

    image-20241203-135518.png

  7. Click Next.

  8. Click OK.

    image-20241203-135535.png

After installation, you should see the certificate in your certificate store.

Set up Agent with Certificate

After making the certificate available on your local machine, configure your Signum Agent to use the certificate. Depending on the agent, you can identify the certificate by certificate name, certificate thumbprint, or certificate path.

See the specific agent section for configuring the certificate authentication: