Authentication: Certificate

Authentication by certificate uses two API calls and does not send a private key.

Prerequisites

Authenticating with a certificate requires a certificate and a corresponding role. The user with this role can be authenticated using a leaf certificate that contains role as a description field.

Role

First, a role is needed. Use this command to create a role.

Copy

dsv role create --name certauth

Or, use an existing role.

Certificate

In this step, generate a root certificate for signing leaf certificates. The root certificate can issue leaf certificates with different roles.

Copy

dsv pki generate-root --rootcapath root-for-auth --common-name root.auth --domains root.system.a,root.system.b --maxttl 168

After that, prepare a client certificate with a corresponding role.

Copy

dsv pki leaf --common-name root.system.a --rootcapath root-for-auth --description certauth

The output should present a generated certificate, private key and SSH public key. The certificate and the private key are required for authentication and must be saved.

CLI Configuration

After you've configured everything, you can initialize the CLI configuration. For that, run:

Copy

dsv init

for testing purposes I recommend to create a separate profile when running the dsv init command and after in all commands for testing use --profile=your-profile-name flag.

When prompted for the authentication type, choose x509 Certificate:

Initialize CLI for Certificate

When prompted, input your certificate and the private key. Note that CLI only sends the certificate for authentication. Private key will not be sent over the wire, and is used only to decrypt data to prove ownership of the private key to the server.