Create Industrial Security SSL Certificates for Login
To log in to a Industrial Security server with SSL certificates, you must create the certificates using the
Note: When asked if you want to create a server certificate, select no to be prompted for the user certificate information.
To create Industrial Security SSL certificates for login:
On the Industrial Security server, run the
C:\Program Files\Tenable\Industrial Security\industrial-security-make-cert
Configure the client certificate by answering the various questions.
The client certificates generate in a temporary directory.
C:\users\<username>\AppData\Local\Temp, where <username> is the user currently logged in.
Two files are created in the temporary directory. In an example where the user name is admin, the files
key_admin.pemare created. These two files must be combined and exported into a format that may be imported into the web browser, such as .pfx. You can accomplish this with the openssl program and the following command:
openssl pkcs12 -export -out combined_admin.pfx -inkey key_admin.pem -in cert_admin.pem -chain -CAfile /opt/industrial-security/var/industrial-security/ssl/cacert.pem -passout 'pass:password' -name 'Industrial Security User Certificate for: admin'
The resulting file
combined_admin.pfxis created in the directory from which the command is launched. This file must then be imported into the web browser’s personal certificate store.
Note: The username you type must correspond with an existing username in Industrial Security. By default, Industrial Security has only one administrative user. If you add another administrative user, then you can use more than one certificate.
Configure the Industrial Security server for certificate authentication using the appropriate command for your OS. Once certificate authentication is enabled, username and password login is disabled.
# /opt/industrial-security/bin/industrial-security --config "Enable SSL Client Certificate Authentication" "1"
C:\Program Files\Tenable\Industrial Security\industrial-security --config "Enable SSL Client Certificate Authentication" "1"