mTLS Settings

StoredSafe supports using mutual TLS (mTLS) as Multi Factor Authentication (MFA) mechanism, the concept relies on the client having a client X.509 certificate on a local secure device, such as a smartcard or using the PIV-slots on a Yubikey to hold and protect the private key.

Several things are needed to use mTLS as an MFA:

• A trusted Certificate Authority to issue the client certificates
• The public key (certificate) in PEM-format of the trusted CA
• An HTTP or HTTPS endpoint to fetch CRL (Certificate Revocation Lists) for the trusted CA (Optional)

Note

If not fetching and using a CRL from the trusted Certificate Authorities, a compromised or lost client certificate might be mis-used.

┌─────────────────────────────────────────────────────────────────────────────┐
│         Service Management on node1 (Version 2.X.X-dev build XXXX)          │
└─────────────────────────────────────────────────────────────────────────────┘

┌─┬───────────────────────────────────────────────────────────────────────────┐
│1│Activate or Change Client Authentication (mTLS) Settings                   │
│2│Client CA Settings                                                         │
│3│Client CRL Settings                                                        │
│4│Client Verify Depth                                                        │
│9│Disable mTLS                                                               │
└─┴───────────────────────────────────────────────────────────────────────────┘

Move the cursor or enter a it's corresponding number (Q to Quit)

Main> System Settings> Service> mTLS>

• Activate or Change Client Authentication (mTLS) Settings
• Client CA Settings
• Client CRL Settings
• Client Verify Depth
• Disable mTLS