Skip to main content

Authenticate using TLS

You can authenticate incoming Quorum Key Manager (QKM) requests using mutual TLS authentication.

To use TLS mutual authentication, start QKM in SSL mode with the --https-enable, --https-server-cert, and --https-server-key command line options, and specify a TLS certificate authority (CA) certificate with the --auth-tls-ca option.

info

Starting Quorum Key Manager with TLS authentication

key-manager run --https-enable --https-server-cert=tls.crt --https-server-key=tls.key --auth-tls-ca=ca.crt --manifest-path=/config/default.yml

TLS certificate

The CA certificate must contain one or more CAs to validate client certificates presented to QKM.

If a client presents a valid certificate signed by one of the CAs, then the client is authenticated.

QKM extracts the following user information from the subject field of the client certificate:

  • Username and optional tenant from the common name (CN) (for example, /CN=tenant|user or /CN=user)
  • Roles from the certificate's organization (O) (for example, /O=role1/O=role2)
  • Permissions from the certificate's organization unit (OU) (for example, /OU=*:read/OU=secret:write)

You can use the openssl command line tool to generate a certificate signing request:

info

Example certificate signing request

openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=auth0|alice/O=admin/OU=sign:eth1Account"