Activate or Change Client Authentication (mTLS) Settings

Initial configuration of mTLS, also the possibility to change an existing configuration.

X.509 Client Certificates (mTLS) Settings

X.509 Client Certificates validation is DISABLED.

Change settings? (y/<N>): y
Install a new CA chain? (y/<N>): y

You will need a file with a trusted Client Certificate CA (supports multiple)
including any intermediate certificates used to sign the client certificates.

Search the directory "/isodevice/var/transfer" for files? (Press No for USB) (<Y>/n):
Using the directory "/isodevice/var/transfer".

Available files in /isodevice/var/transfer:

mtls-ca-corp-com.pem

Which file has the Client Certificate CA (multiple CA supported)? (Q to Quit) <none>: mtls-ca-corp-com.pem

Issuers in the CA chain (/isodevice/var/transfer/storedsafe-mtls-ca.pem):
subject=C = SE, ST = Stockholm, O = Corp INC, OU = CA Team, CN = ca.corp.com
issuer=C = SE, ST = Stockholm, O = Corp INC, OU = CA Team, CN = ca.corp.com
Install the new CA for Client Certificates? (<Y>/n):

New CA for validating Client Certificates installed successfully.

It is possible to specify to what depth a client certificate should be verified:

Verify depth 0: Only self-signed certificates is allowed.
Verify depth 1: One signature is checked, so certificates directly signed
 by the root cert are allowed, but nothing more.
Verify depth 2: Possible to validate up to two signatures, so chains
 with one intermediate certificate are allowed. (Default)

Verify depth? <2>:
Verify depth set to 2

CRL fetching is DISABLED.

Change (or enable) CRL fetching? (<Y>/n): y

CRL URL #0? (. to end input, Q to quit) <.>: http://ca.corp.com/CorpInternalRootCAv1.crl
Try to fecth a CRL from "http://ca.corp.com/CorpInternalRootCAv1.crl"? (<Y>/n):
issuer=C = SE, O = Corp INC, CN = Corp Internal Root CA v1
lastUpdate=Apr  5 08:52:21 2023 GMT
nextUpdate=Oct  2 21:12:21 2023 GMT
crlNumber=15

CRL URL #1? (. to end input, Q to quit) <.>: http://ca.corp.com/CorpPerson4CAv1.crl
Try to fecth a CRL from "http://ca.corp.com/CorpPerson4CAv1.crl"? (<Y>/n):
issuer=C = SE, O = Corp INC, CN = Corp Person 4 CA v1
lastUpdate=May  4 18:50:01 2023 GMT
nextUpdate=May  7 20:10:01 2023 GMT
crlNumber=01FB87

CRL URL #2? (. to end input, Q to quit) <.>: https://dept.ca.corp.com/corp-crl.pem
Try to fecth a CRL from "https://dept.ca.corp.com/corp-crl.pem"? (<Y>/n):
Can not validate the CRL URL. Use it anyway? (<Y>/n):
CRL URL #3? (. to end input, Q to quit) <.>: .

Save new CRL settings? (<Y>/n):
No updates to crl from http://ca.corp.com/CorpInternalRootCAv1.crl
No updates to crl from http://ca.corp.com/CorpPerson4CAv1.crl
No updates to crl from https://dept.ca.corp.com/corp-crl.pem
Nothing to do

Restart the web server to activate the new settings? (<Y>/n):
Add firewall rules to allow for mTLS verification (port 8443/tcp)? (<Y>/n):

Web access (port 443/TCP) is currently permitted from

any

8443/TCP used for mTLS, is currently permitted from

any

Allow WEB access to the StoredSafe appliance from up to 100 networks.
(Use IPv4 or IPv6 with CIDR notation, 192.168.0.0/24 or 2001:db8:cafe::/48)

Press return to keep the suggested <DEFAULT> values. To end input at any time,
simply enter a single dot (.) and press return.

Network #0 (. to end input, Q to Quit) <any>: 192.168.16.0/24
Network #1 (. to end input, Q to Quit) <.>:

By default, the appliance redirects unencrypted requests on port 80
to port 443, however it is possible to turn off this redirection.

Allow access on port 80 (HTTP)? (y/<N>): n
Save the new configuration? (<Y>/n): y
Activate the new configuration? (<Y>/n): y

Old rules will not be deactivated until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Enable X509 as MFA? (<Y>/n): y