5.6. Procedure – Authenticating users with X.509 certificates


PSM provides a method to authenticate the users of the web interface with X.509 client certificates. The client certificate is validated against a CA list, and the username is exported from the client certificate for identification. Balabit recommends using 2048-bit RSA keys (or stronger).

To authenticate PSM users on the PSM web interface with X.509 client certificates, complete the following steps.


  • You will have to upload the CA certificates that issued the certificates of the users, so this CA certificate must be available on your computer in PEM format.

  • The certificates of the users must contain the username used to authenticate on PSM. You must know which certificate field will contain the usernames (for example, CN or UID).

  • The certificates must be imported into the browsers of the users. PSM offers the possibility to authenticate with a certificate only if a personal certificate is available in the browser.


  1. Figure 5.6. Policies > Trusted CA Lists — Creating Trusted CA lists

    Policies > Trusted CA Lists — Creating Trusted CA lists

    Navigate to Policies > Trusted CA Lists and create a Trusted CA List.

    1. If the user certificates contain the username in the Common Name field, make sure that the Strict Hostname Check is disabled.

    2. Upload the CA certificate.

    3. Adjust other settings as needed. For details on creating a trusted CA list, see Procedure 7.11, Verifying certificates with Certificate Authorities.

    4. Click .

  2. Navigate to AAA > Settings > Authentication settings.

    Figure 5.7. AAA > Settings > Authentication settings — Configuring X.509 authentication

    AAA > Settings > Authentication settings — Configuring X.509 authentication
  3. Select X.509.

  4. Select the trusted CA list created in the first step in Authentication CA.

  5. Enter the DN field name of the username in X.509 DN field name of username field (in most cases, CN or UID. This field is case-sensitive, so make sure that you use the proper case.

  6. To allow the admin user to be able to log in without using X.509 authorization, select Enable fallback for admin. This will fallback to password authentication.

  7. Click .