Setting up PKI authentication

The PKI Authentication (Public Key Infrastructure Authentication) allows you to log into the station using client certificate authentication (mTLS). This certificate is signed by a trusted authority (CA). You can use PKI Authentication on any platform and it does not require a license feature.

  • You have established TLS connections for PKI authentication.

  • The clientCertAuth palette is recommended.

  • You must have a CA signed client certificate installed in their browser. The public certificate of the CA must be available to the station.

  • Note: Users can only log in to a station via PKI Authentication in the browser.

Use cases for PKI authentication:

  • User Authentication: You want your users to log in using a client certificate.

  • Trusted Certificates: The client certificates are signed by a known CA that can be configured in the station.

  • Pre-Configuration: Your users need to be set up in advance on the station.

  1. In Workbench, connect to the station and navigate to Services > Authentication Service > Authentication Schemes.
  2. Open the clientCertAuth palette, and add the PKI Authentication Scheme to the Authentication Schemes folder.
  3. Under PKI Authentication Scheme, open the CA Certificates folder. A CA Configuration should already be present if the scheme was dragged from the palette. More can be added as needed.
  4. In CA Configuration, configure the CA as needed (see "clientCertAuth-CA Configuration" in the "Components, views and windows" chapter for more details).
  5. In Services > User Service, create a new user in the station and assign the PKI Authentication Scheme and a role to it.
    The user's name should match the username configured in the user's certificate (for more details on how the username is found, see "clientCertAuth-CA Configuration" in the "Components, views and windows" chapter.)
  6. Restart the Web Service. When the CA configurations are modified, the Web Service will restart automatically after 2 minutes, but you can also manually restart it at any time.
User login with PKI authentication
  1. In the browser, when a user attempts to access the login page, they will be prompted to select their certificate from a list if the client certificate is properly installed in their browser, and the CA is configured on the station.
  2. The user selects their certificate.
  3. To log into the station, the user clicks Log in with SSO . The text may be different if the Login Button Text property on the PKI Authentication Scheme was modified.