Certificate Based Authentication in CloudBolt

Certificate based authentication has been available since version 2.0 of the product.  If you want to get certificate based authentication a try in a CloudBolt follow these simple steps:


Configuring PKI in CloudBolt's Web Interface

  1. Log into CloudBolt as an admin user
  2. From the DB browser page, replace "/admin/db/" with "/alladmin/"
  3. Find the Utilities section and click on '+ Add' in the PKIUtilities row
  4. Enter regex expressions that should evaluate to username, first, last and email fields based on the Subject (or DN) field in the user certificates your company uses
  5. Optionally, you can determine what groups the new users should have requestor, approver, etc roles in.  IMPORTANT: Do not assign the inventory manager role as it's been deprecated
  6. Save the form


Configure PKI in CloudBolt's server settings

Edit /var/opt/cloudbolt/proserv/customer_settings.py, and append to the flie this following section:

# Enable PKI section
LOGIN_URL = "/pki/login"

from settings import INSTALLED_APPS
INSTALLED_APPS += ('pki',)


Configure apache to require client certificates for the /pki/login url

  1. scp a copy of the root ca certificate to the c2 server.  For this article we'll use /var/opt/cloudbolt/proserv/ca.crt as the path for the certificate
  2. Edit /etc/httpd/conf/httpd.conf, and add the following section:
<Location /pki/login>
SSLCACertificateFile /var/opt/cloudbolt/proserv/ca.crt SSLVerifyClient require SSLVerifyDepth 5 SSLOptions +StdEnvVars </Location>

        * If you are using a intermediate CA cert, instead of SSLCACertificateFile use the directiveSSLCertificateChainFile

     3. Restart httpd

Have more questions? Submit a request


Please sign in to leave a comment.