Authenticate to Console with Certificates
Table of Contents
Authenticate to Console with Certificates
Prisma Cloud supports certificate-based authentication in addition to username/password based authentication for the Console UI and the API.
This is especially useful for those in government and financial services, who use multi-factor authentication technologies built on x.509 certificates.
This is applicable to users authenticating through Active Directory accounts as well.
This feature allows customers to control the trusted CAs for signing certificates for authentication.
NOTE: GitHub doesn’t allow a certificate-based authentication, you need to configure GitHub as an OAuth provider.
Setting up your Certificates
Set up Prisma Cloud for certificate-based authentication.
If you are using certificates to authenticate against Active Directory accounts, Prisma Cloud uses the UserPrincipalName field in the SAN to match the certificate to the user in Active Directory.
This is the same process used by Windows clients for authentication, so for most customers, the existing smart card certificates you are already using can also be used for authentication to Prisma Cloud.
- Save the CA certificate(s) used to sign the certificates that you will use for authentication to Prisma Cloud.The certificate has to be in PEM format. If you have multiple CA certificates that issue certificates to your users, concatenate their PEM files together. For example, if you have Issuing CA 1 and Issuing CA 2, create a combined PEM file like this:$ cat issuing-ca-1.pem issuing-ca-2.pem > issuing-cas.pemLog into Console, and go toManage > Authentication > System Certificates.UnderCertificate-based authentication to Console, upload your CA certificate(s) in PEM format.SelectSave.Open Console login page in your browser. When prompted select your user certificate.
What’s Next
See Assigning roles to learn how to add users and assign roles to them.