Skip to main content
Version: v43

API-Proxy Ephemeral-Certificate Authentication

Ephemeral Certificate Target Authentication

PrivX users can be authenticated and authorized to API targets using ephemeral certificates.

Prerequisites for using ephemeral certificate authentication:

  • In order to have an unique CA for issuing access certificates, we recommend creating a new access group. This allows greater granularity in providing and revoking access. For simple cases you may use Default or another existing access group.
  • API targets are configured to trust the CA of the chosen access group.
  • PrivX and target-system clocks are synchronized.

To configure an API target to use ephemeral certificate authentication:

  1. Under Administration→API Targets, Edit the desired API target.
  2. Associate the API target to the correct Access Group.
  3. For authentication Type, select Ephemeral Certificate.
  4. Define the patterns for certificate subject name and subject alternative names. Also select the certificate template to use. Patterns and templates are detailed in later sections of this guide.
  5. Save your changes to the API target.
info

When using ephemeral-certificate authentication to targets, the target effectively delegates authorization to PrivX.

Ephemeral Certificate Subject Name

The ephemeral certificate subject name is used as a pattern for the certificate's subject name field. The format of the pattern is a list of type=value pairs separated by / and using \ as the escape character. The following types are supported:

TypeOIDNode Name
CN2.5.4.3commonName
SN2.5.4.4surname
serialNumber2.5.4.5serialNumber
C2.5.4.6countryName
L2.5.4.7localityName
ST2.5.4.8stateOrProvinceName
streetAddress2.5.4.9streetAddress
O2.5.4.10organization
OU2.5.4.10organizationName
title2.5.4.12title
postalCode2.5.4.17postalCode
GN2.5.4.42givenName
initials2.5.4.43initials
generationQualifier2.5.4.44generationQualifier
dnQualifier2.5.4.46dnQualifier
pseudonym2.5.4.65pseudonym
DC0.9.2342.19200300.100.1.25domainComponent
emailAddress1.2.840.113549.1.9.1emailAddress
userid0.9.2342.19200300.100.1.1userid

Additionally, you may use any OID in dotted format as a type. For example 1.2.3.4=foo.

The value can be a static textual value, or it can refer to user attributes with the %attribute% syntax. The following user attibutes are supported:

  • principal, aliases username and userprincipalname
  • samaccountname
  • unix_account
  • windows_account
  • name, alias full_name
  • first_name
  • last_name
  • distinguishedname
  • telephone
  • email
  • company
  • department
  • job_title
  • source
  • external_id
  • any custom attribute associated to the PrivX user

Example subject name patterns:

  • CN=root
  • CN=%unix_account%/O=Developers/OU=Team A
info

Ephemeral-certificate authentication won't work when the subject pattern refers to invalid attributes.

Ephemeral Certificate Subject Alternative Name

Similar to subject name pattern, the ephemeral certificate SAN pattern is used for the certificate's SAN field. The format of the pattern is a list of type=value pairs separated by /. You can use \ as the escape character. The following types are supported:

TypeNotes
IPIPv4 or IPv6 address in dotted notation
DNS
URI
UPNUser Principal Name
SIDWindows SID in string format (technically a x.509 extension, not a SAN)

Additionally, you may specify any X.509-SAN othername as othername:{oid};{format}={value}: - OID is given in dotted notation. - Format is one of UTF8String, IA5String or OctetString - Value depends on the format; for UTF8String and IA5String value is provided as a string, for OctetString as hexadecimal string.

Similar to subject name patterns, the ephemeral-certificate SAN pattern supports referring to user attributes with the %attribute% syntax.

Example SAN patterns:

  • IP=192.168.100.33/DNS=private.privx.io
  • UPN=%principal%
  • SID=S-1-5-21-3623811015-3361044348-30300820-1013
  • othername:1.3.6.1.5.5.7.8.7;IA5String=_sip._tcp.example.com

Certificate Template

You can create and use certificate templates to configure the key usage and extended key usage of the generated certificates. You can manage certificate templates on Administration→Settings→Authorizer under Certificate Templates.

The supported values in the certificate template's key usage are:

  • DigitalSignature
  • ContentCommitment
  • KeyEncipherment
  • DataEncipherment
  • KeyAgreement
  • CertSign
  • CRLSign
  • EncipherOnly
  • DecipherOnly

The supported values in the certificate template's extended key usage are:

  • Any
  • ServerAuth
  • ClientAuth
  • CodeSigning
  • EmailProtection
  • IPSECEndSystem
  • IPSECTunnel
  • IPSECUser
  • TimeStamping
  • OCSPSigning
  • MicrosoftServerGatedCrypto
  • NetscapeServerGatedCrypto
  • MicrosoftCommercialCodeSigning
  • MicrosoftKernelCodeSigning
  • any OID in dotted format