Activate or Change Client Authentication (mTLS) Settings ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Initial configuration of mTLS, also the possibility to change an existing configuration. :: X.509 Client Certificates (mTLS) Settings X.509 Client Certificates validation is DISABLED. Change settings? (y/): y Install a new CA chain? (y/): y You will need a file with a trusted Client Certificate CA (supports multiple) including any intermediate certificates used to sign the client certificates. Search the directory "/isodevice/var/transfer" for files? (Press No for USB) (/n): Using the directory "/isodevice/var/transfer". Available files in /isodevice/var/transfer: mtls-ca-corp-com.pem Which file has the Client Certificate CA (multiple CA supported)? (Q to Quit) : mtls-ca-corp-com.pem Issuers in the CA chain (/isodevice/var/transfer/storedsafe-mtls-ca.pem): subject=C = SE, ST = Stockholm, O = Corp INC, OU = CA Team, CN = ca.corp.com issuer=C = SE, ST = Stockholm, O = Corp INC, OU = CA Team, CN = ca.corp.com Install the new CA for Client Certificates? (/n): New CA for validating Client Certificates installed successfully. It is possible to specify to what depth a client certificate should be verified: Verify depth 0: Only self-signed certificates is allowed. Verify depth 1: One signature is checked, so certificates directly signed by the root cert are allowed, but nothing more. Verify depth 2: Possible to validate up to two signatures, so chains with one intermediate certificate are allowed. (Default) Verify depth? <2>: Verify depth set to 2 CRL fetching is DISABLED. Change (or enable) CRL fetching? (/n): y CRL URL #0? (. to end input, Q to quit) <.>: http://ca.corp.com/CorpInternalRootCAv1.crl Try to fecth a CRL from "http://ca.corp.com/CorpInternalRootCAv1.crl"? (/n): issuer=C = SE, O = Corp INC, CN = Corp Internal Root CA v1 lastUpdate=Apr 5 08:52:21 2023 GMT nextUpdate=Oct 2 21:12:21 2023 GMT crlNumber=15 CRL URL #1? (. to end input, Q to quit) <.>: http://ca.corp.com/CorpPerson4CAv1.crl Try to fecth a CRL from "http://ca.corp.com/CorpPerson4CAv1.crl"? (/n): issuer=C = SE, O = Corp INC, CN = Corp Person 4 CA v1 lastUpdate=May 4 18:50:01 2023 GMT nextUpdate=May 7 20:10:01 2023 GMT crlNumber=01FB87 CRL URL #2? (. to end input, Q to quit) <.>: https://dept.ca.corp.com/corp-crl.pem Try to fecth a CRL from "https://dept.ca.corp.com/corp-crl.pem"? (/n): Can not validate the CRL URL. Use it anyway? (/n): CRL URL #3? (. to end input, Q to quit) <.>: . Save new CRL settings? (/n): No updates to crl from http://ca.corp.com/CorpInternalRootCAv1.crl No updates to crl from http://ca.corp.com/CorpPerson4CAv1.crl No updates to crl from https://dept.ca.corp.com/corp-crl.pem Nothing to do Restart the web server to activate the new settings? (/n): Add firewall rules to allow for mTLS verification (port 8443/tcp)? (/n): Web access (port 443/TCP) is currently permitted from any 8443/TCP used for mTLS, is currently permitted from any Allow WEB access to the StoredSafe appliance from up to 100 networks. (Use IPv4 or IPv6 with CIDR notation, 192.168.0.0/24 or 2001:db8:cafe::/48) Press return to keep the suggested values. To end input at any time, simply enter a single dot (.) and press return. Network #0 (. to end input, Q to Quit) : 192.168.16.0/24 Network #1 (. to end input, Q to Quit) <.>: By default, the appliance redirects unencrypted requests on port 80 to port 443, however it is possible to turn off this redirection. Allow access on port 80 (HTTP)? (y/): n Save the new configuration? (/n): y Activate the new configuration? (/n): y Old rules will not be deactivated until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Enable X509 as MFA? (/n): y