Authenticating with certificates
Client-side certificate authentication allows a client to use a digital certificate as their authentication
credentials when logging on to an ePolicy Orchestrator server.
This chapter details how and when certificate authentication should be used.
Contents
When to use certificate authentication
Configuring ePolicy Orchestrator for certificate authentication
Uploading server certificates
Removing server certificates
Configuring users for certificate authentication
Problems with certificate authentication
When to use certificate authentication
Certificate authentication is the most secure method available. However, it is not the best choice for all
environments.
Certificate authentication is an extension of public-key authentication. It uses public keys as a basis,
but differs from public-key authentication in that you only need to trust a trusted third party known as
a certification authority (or CA). Certificates are digital documents containing a combination of identity
information and public keys, and are digitally signed by the CA who verifies that the information is
accurate.
Advantages of certificate-based authentication
Certificate-based authentication has a number of advantages over password authentication:
• Certificates have predefined lifetimes. This allows for a forced, periodic review of a user's
permissions when their certificate expires.
• If a user's access must be suspended or terminated, the certificate can be added to a certificate
revocation list, or CRL, which is checked on each logon attempt to prevent unauthorized access.
• Certificate authentication is more manageable and scalable in large institutions than other forms of
authentication because only a small number of CAs (frequently only one) must be trusted.
Disadvantages of certificate-based authentication
Not every environment is best for certificate-based authentication. Disadvantages of this method
include:
• A public-key infrastructure is required. This can add additional cost that in some cases may not be
worth the additional security.
• Additional overhead in maintaining certificates is required when comparing to password-based
authentication.
Configuring ePolicy Orchestrator for certificate authentication
Before users can log on with certificate authentication, ePolicy Orchestrator must be configured properly.
Before you begin
You must have already received a signed certificate in P7B, PKCS12, DER, or PEM format.
7
Configuring advanced server settings
Authenticating with certificates
58
McAfee
®
ePolicy Orchestrator
®
4.6.0 Software Product Guide
Summary of Contents for EPOCDE-AA-BA - ePolicy Orchestrator - PC
Page 1: ...Product Guide McAfee ePolicy Orchestrator 4 6 0 Software...
Page 14: ......
Page 20: ......
Page 24: ......
Page 26: ......
Page 42: ......
Page 46: ......
Page 76: ......
Page 100: ......
Page 108: ......
Page 120: ......
Page 158: ......
Page 162: ......
Page 210: ......
Page 228: ......
Page 238: ......
Page 264: ......
Page 288: ......
Page 310: ......
Page 314: ......
Page 328: ...00...