Create Industrial Security SSL Certificates for Login

To log in to a Industrial Security server with SSL certificates, you must create the certificates using the industrial-security-make-cert command.

Note: When asked if you want to create a server certificate, select no to be prompted for the user certificate information.

To create Industrial Security SSL certificates for login:

  1. On the Industrial Security server, run the industrial-security-make-cert command.

    Operating System

    Command

    Linux

    # /opt/industrial-security/bin/industrial-security-make-cert

    Windows

    C:\Program Files\Tenable\Industrial Security\industrial-security-make-cert

  2. Configure the client certificate by answering the various questions.

    The client certificates generate in a temporary directory.

    Operating System

    Directory

    Linux

    /tmp/

    Windows

    C:\users\<username>\AppData\Local\Temp, where <username> is the user currently logged in.

  3. Two files are created in the temporary directory. In an example where the user name is admin, the files cert_admin.pem and key_admin.pem are created. These two files must be combined and exported into a format that may be imported into the web browser, such as .pfx. You can accomplish this with the openssl program and the following command:

    openssl pkcs12 -export -out combined_admin.pfx -inkey key_admin.pem -in cert_admin.pem -chain -CAfile /opt/industrial-security/var/industrial-security/ssl/cacert.pem -passout 'pass:password' -name 'Industrial Security User Certificate for: admin'

    The resulting file combined_admin.pfx is created in the directory from which the command is launched. This file must then be imported into the web browser’s personal certificate store.

    Note: The username you type must correspond with an existing username in Industrial Security. By default, Industrial Security has only one administrative user. If you add another administrative user, then you can use more than one certificate.

  4. Configure the Industrial Security server for certificate authentication using the appropriate command for your OS. Once certificate authentication is enabled, username and password login is disabled.

    Operating System

    Command

    Linux

    # /opt/industrial-security/bin/industrial-security --config "Enable SSL Client Certificate Authentication" "1"

    Windows

    C:\Program Files\Tenable\Industrial Security\industrial-security --config "Enable SSL Client Certificate Authentication" "1"