CyberArk's Central Credential Provider - Client Certificate Authentication

preview_player
Показать описание
CyberArk's Joe Garcia takes the Central Credential Provider and configures it for Client Certificate Authentication. Once completely configured, he shows how to configure an Application ID for accessing secrets in a Safe and shows how you can test it was setup properly using available tools.

Related Videos
==============

CyberArk Resources
==================

InfamousJoeG in the Wild
=======================

Q: Why does Client Certificate Authentication with CyberArk's CCP require both the certificate and private key to be sent with the GET request?

A: Certificates on their own are only public pieces of information. What links a public key certificate to the name it contains is the fact that whoever has legitimate control over that name (e.g. your name or your server's name) also has the private key for it.

Certificates are used to prove the identity of the remote party by challenging the remote party to perform an operation that can only be done with the corresponding private key: signing something (which can be verified with the public key) or deciphering something that was encrypted with the public key. (Both can happen in the SSL/TLS handshake, depending on the cipher suite.)

In this case, they also want to use client-certificate authentication. It's not enough to send the client certificate during the handshake: the client must also prove it has the private key. Otherwise, anyone who receives that certificate could clone it. The point of using certificates is to prevent any cloning, in such a way that you never have to show your own secret (the private key).

Рекомендации по теме
Комментарии
Автор

Hey Joe, Great video as usual! I know the problem you were having at the end, you were using thumbprint on your cert and that is not your SN, your cert has a SN on it already and that was your issue. When I started watching this video I instantly picked up that you were using thumbprint and i thought that was new since I always knew it was SN and not thumbprint. I thought it might work as you were going through your tutorial but at the end you had problems as I suspected you would. I went back on your video to see your cert and it matched your SN that you had put into your AppID. Also if your CCP server is part of the same domain that your cert is signed from you do not need to install the certificate at all on your CCP server. Great stuff!

will
Автор

Excellent video Joe! People will be really happy to have this walkthrough

alukas
Автор

Thanks for this video. Have some security concerns on having private key stored locally. I will explore to have them shortlived or stored in venafi or secrets manager

tonymaina
Автор

Still I have not seen completely. But thanks for sharing. I was searching doc's from 3 months. Now I got video only.

santhoshb.n
Автор

Awesome one Joe, I am a PKI guy but new in CyberArk, looking forward to more with CyberArk RSET API from scratch like setting the all env. variable from CyberArk

bshwjt
Автор

Joe, thanks a lot for this one! As usual, great content coming from you! Congrats!

fredericocrespo
Автор

Great video Joe! You deserve a lot attention 😊

uvsumit
Автор

Thanks a lot Joe. A year on and this still helped me. Only comment is that you should have put the serial Number of the certificate on CyberArk and not the thumbprint. 👏👏

Dzemaily
Автор

Hi Joe, amazing video. Just one question. If we use client certificate authentication, does the certificate private key have to be present locally on the Linux machine in order to execute the curl command to make a web service call ? I believe without the key the authentication will simply fail due to no ssl handshake ?
Earlier I thought just the cert serial number is needed for application in pvwa but after more digging I now think key has to be available locally on the Linux machine making Rest call to AIMWebservice. Is my understanding correct ?

AbhishekSingh-sruz
Автор

Thanks Joe. Super useful video for the great walkthrough end to end!!

poojagangwar
Автор

Great video and very helpful. Thanks for all the efforts and help

fredm
Автор

Great video !! Seems like having certs for each application can become a workload for maintenance as you would own them. Renew cert, send new cert to application using the CCP offering, updating the SN on the application in CyberArk, restarting services, removing old cert from CCP server(s) installing new. Any suggestions to help with this?

acastrellon
Автор

It's very good video, Mr. Joe. Thank you!

zan_adiputra
Автор

@Joe Garcia
Is the step to enable absolutely required? I looked back at my config and the CCP client cert authentication works without that. Not sure how it would.
Also, i tried to invoke CCP using a client cert that was not loaded in the certificate store in the PVWA hosting the AIMWebservice. It only had the root CA.
The only time it failed was when i did not send a cert or the serial number defined for the app in PVWA didn't match what i sent.
Any thoughts?

tsramkumar
Автор

Hi Joe, it is a very good video for the cert authentication method. But one question here, the user may run on multiple machines and may vary the cert thumbprint/serial number in each machine. In this use case, how to configure multiple thumbprint numbers in CCP and IIS to enable user cert authentication method.

mastanvmware
Автор

What if the "add certificate serial number" is missing from the drop down for the add button in the interface?

rachaelc
Автор

Can you show how we could configure an IIS virtual directory to fetch it's credential from CCP instead of hard coding it in IIS?

interestingcontent
Автор

Great Video🙏🏻 Huge Respect. Could you please make one more detailed and easy to understand video like this on Credential Provider as you made for CCP? Is it necessary to have CP before CCP? Please consider details of WHO, WHY, WHERE, WHEN CP and CCP are needed and to use? Please🙏🏻

SanjayGupta-klxi
Автор

thank you for this, wish you more success.

zo-moto
Автор

how can i check my certificate autentication password i for got

wirelescastle