If you use an enterprise certificate authority (CA) for authentication, you can configure Red Hat Advanced Cluster Security for Kubernetes (RHACS) to authenticate users by using their personal certificates.

After you configure PKI authentication, users and API clients can log in using their personal certificates. Users without certificates can still use other authentication options, including API tokens, the local administrator password, or other authentication providers. PKI authentication is available on the same port number as the Web UI, gRPC, and REST APIs.

When you configure PKI authentication, by default, Red Hat Advanced Cluster Security for Kubernetes uses the same port for PKI, web UI, gRPC, other single sign-on (SSO) providers, and REST APIs. You can also configure a separate port for PKI authentication by using a YAML configuration file to configure and expose endpoints.

Configuring PKI authentication by using the RHACS portal

You can configure PKI authentication by using the RHACS portal.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationAccess Control.

  2. Click Add an Auth Provider, and then select User Certificates.

  3. In the Name box, specify a name for this authentication provider.

  4. Paste your root CA certificate in PEM format into the text box.

  5. Optional: Change the Minimum access role and add role mappings by attributes.

  6. Click Save.

Configuring PKI authentication by using the roxctl CLI

You can configure PKI authentication by using the roxctl CLI.

Procedure
  • Run the following command:

    $ roxctl -e <hostname>:<port_number> central userpki create -c <ca_certificate_file> -r <default_role_name> <provider_name>

Updating authentication keys and certificates

You can update your authentication keys and certificates by using the RHACS portal.

Procedure
  1. Create a new authentication provider.

  2. Copy the role mappings from your old authentication provider to the new authentication provider.

  3. Rename or delete the old authentication provider with the old root CA key.

Logging in by using a client certificate

After you configure PKI authentication, users see a certificate prompt on the RHACS portal login page. The prompt only shows up if a client certificate trusted by the configured root CA is installed on the user’s system.

Use the procedure described in this section to log in by using a client certificate.

Procedure
  1. Open the RHACS portal.

  2. Select a certificate in the browser prompt.

  3. On the login page, select the authentication provider name option to log in with a certificate. If you do not want to log in by using the certificate, you can also log in by using the administrator password or another login method.

Once you use a client certificate to log into the RHACS portal, you cannot log in with a different certificate unless you restart your browser.