Configuring PKI (Public Key Infrastructure) Authentication
Public key infrastructure (PKI) is a set of policies and and procedures for managing public-key encryption. It is used to enable secure communication when simple passwords are insufficient for validating authentication. To configure PKI authentication in Voyager, you need to:
- Enable the use of a Client Certificate to access secured services
- Enable authorization using the Client Certificate
Enabling the Use of a Client Certificate
The first step is to enable access to secured services by enabling the use of a Client Certificate.
To enable use of a Client Certificate:
- Go to Manage Voyager > Discovery > HTTP Client
- Check the box next to Support Client Certificate

- Enter the Private Key and Password

- (You can also add the CA certificate at this time)
- Click Save
Testing the HTTP Client
To test the HTTP client:
- Go to Manage Voyager > Discovery > HTTP Client
- Enter a secure URL in the Test panel

- Click Test
If the HTTP Client was configured correctly, you should see the Response Headers in the results section.
Enabling Client Certificate Authentication
The next step is to enable Client Certificate Authentication.
- Go to Manage Voyager > Security > Authentication

- Check the box next to Client Certificate and click Configure

- Enter the Private Key and Password
- You can also add a trusted certificate here
- Click Save
Adding the Certificate to a Browser
In order to use a certificate to authenticate against Voyager, you need to add the certificate to the browser being used to access Voyager.
To install a certificate:
- Open the browser settings (in this example, Chrome)

- Click Advanced
- Click Manage certificates

- Click Import and follow the wizard to import the certificate

- When you next open Voyager, it will request a certificate

- When the certificate is selected, Voyager will authenticate the user
Generating certificates for testing
To generate certificates that you can use in testing and configuration:
- Download Easy RSA from https://github.com/OpenVPN/easy-rsa
- Edit the vars file modifying these values:
export KEY_COUNTRY="US"
export KEY_PROVINCE="California"
export KEY_CITY="Redlands"
export KEY_ORG="Voyager Search"
export KEY_EMAIL="pki@voyagersearch.com"
export KEY_OU="IT"
export KEY_NAME="Voyager Search"
- Execute those commands in the current shell
source ./vars
- Clean or initialize the environment
./clean-all
- Generate the CA certificate
./build-ca
- Build the server key
./build-key-server server1
- Generate the Diffie-Hellman parameters
./build-dh
- Generate the client certificate
./build-key client1
- Convert the certificates to PKCS#12
openssl pkcs12 -export -inkey keys/client1.key -in keys/client1.crt -certfile keys/ca.crt -out keys/client1.p12
openssl pkcs12 -export -inkey keys/server1.key -in keys/server1.crt -certfile keys/ca.crt -out keys/server1.p12