Certificate Authentication

In Tenable Enclave Security, you can configure SSL client certificate authentication to allow users to log in to the interface using a certificate (such as a smart card, PIV, or CAC) instead of a standard username and password. Certificate-based authentication provides a higher level of security than passwords by requiring physical or digital tokens.

SSL Client Certificate Authentication

Tenable Enclave Security supports certificate authentication for users via integrated Tenable Enclave Security components. You can configure the system to require a certificate, make it optional, or use it for specific organizational requirements.

Before you begin

  • Confirm you have a valid Certificate Authority (CA) that has signed the user certificates.

  • Ensure the CA certificate is trusted by your Tenable Enclave Security deployment.

  • Confirm that users have an existing account in Tenable Security Center that matches the Common Name (CN) or Subject Alternative Name (SAN) of their certificate.

  • Authentication processes are handled by the main Tenable Security Center pod. Ensure your cluster meets the Tenable Enclave Security System Requirements to maintain authentication performance.

To configure certificate authentication for Tenable Enclave Security:

  1. Access your Kubernetes cluster via the CLI.

  2. Locate the Tenable Security Center pod:

    kubectl get pods -n <your-namespace>

  3. Open a shell to the pod:

    kubectl exec -it <sc-pod-name> -n <your-namespace> -- /bin/bash

  4. Open the /opt/sc/support/conf/sslverify.conf file in a text editor.

  5. Edit the SSLVerifyClient setting using one of the following values:

    • none: (Default) The system does not accept SSL certificates for authentication.

    • require: The system requires a valid SSL certificate for all user logins.

    • optional: The system accepts a certificate but does not require it. If a certificate is not presented, users can log in with a username and password.

  6. (Optional) Edit the SSLVerifyDepth setting to specify the length of the certificate chain the system should accept.

    • 0: Accepts self-signed certificates.

    • 1: Accepts certificates signed by a known CA but no intermediate certificates.

    • 2: Accepts a certificate chain with up to one intermediate certificate.

  7. Save the file and exit the pod.

  8. Restart the Tenable Security Center service or delete the pod to trigger a restart and apply the changes:

    kubectl delete pod <sc-pod-name> -n <your-namespace>