Can I authenticate using X.509 client certificates?
Hi there,
we have a use case where users have X.509 client certificates. The current draft of the Identity API v3 [1] states "The 'just a token' has been the starting requirement, and with PKI coming online, it provides a resource path for the tokens independent of linkages to anything else."
How would I set this up and can it be done with any version of Keystone that is available today? I am currently running stable/essex from a devstack installation. I do know how to setup WSGI services in an Apache2 [2], such that the real "authentication" (the user proving that he has the private data beloging to the certificate) leads to an X.509 DN which should be mapped to a Keystone user. Can this DN be considered the "token"? I guess for a direct mapping the tenant for one user would have to be fixed, but this seems to be a limitation of other already documented credential mechanisms as well. I think one could even add a header to the HTTP(S) request to pass in the Tenant in addition to the user credential.
Best regards,
Björn
[1] https:/
[2] http://
Question information
- Language:
- English Edit question
- Status:
- Solved
- Assignee:
- No assignee Edit question
- Solved by:
- Joseph Heck
- Solved:
- Last query:
- Last reply: