diff --git a/content/operate/rs/7.22/security/certificates/certificate-based-authentication.md b/content/operate/rs/7.22/security/certificates/certificate-based-authentication.md index 67ee0d7cb2..2439a86599 100644 --- a/content/operate/rs/7.22/security/certificates/certificate-based-authentication.md +++ b/content/operate/rs/7.22/security/certificates/certificate-based-authentication.md @@ -96,18 +96,32 @@ Before you can connect to a database using certificate-based authentication, you ### Create certificate auth_method users {#create-cert-users} -When you [create new users]({{}}), include `"auth_method": "certificate"` and `certificate_subject_line` in the request body : +When you [create new users]({{}}), include `"auth_method": "certificate"` and `certificate_subject_line` in the request body: ```sh POST /v1/users { "auth_method": "certificate", - "certificate_subject_line": "CN=, OU=, O=, L=, ST=, C=" + "certificate_subject_line": "CN=,OU=,O=,L=,ST=,C=" } ``` Replace the placeholder values `<>` with your client certificate's subject values. +{{}} +The `certificate_subject_line` must: + +- Follow [RFC 2253](https://www.rfc-editor.org/rfc/rfc2253) format. + +- List the attributes in reverse order, starting with the Common Name (`CN`). + +- Not contain spaces after the commas that separate attributes. + +- Exactly match the certificate's RFC 2253 subject. + +- Contain only one Organizational Unit (`OU`) value. +{{}} + ## Authenticate REST API requests To use the REST API with certificate-based authentication, you must provide a client certificate, signed by the trusted CA `mtls_trusted_ca`, and a private key. diff --git a/content/operate/rs/7.8/security/certificates/certificate-based-authentication.md b/content/operate/rs/7.8/security/certificates/certificate-based-authentication.md index 2710fb0ddc..b52e9b901c 100644 --- a/content/operate/rs/7.8/security/certificates/certificate-based-authentication.md +++ b/content/operate/rs/7.8/security/certificates/certificate-based-authentication.md @@ -80,18 +80,32 @@ Before you can connect to a database using certificate-based authentication, you ### Create certificate auth_method users {#create-cert-users} -When you [create new users]({{}}), include `"auth_method": "certificate"` and `certificate_subject_line` in the request body : +When you [create new users]({{}}), include `"auth_method": "certificate"` and `certificate_subject_line` in the request body: ```sh POST /v1/users { "auth_method": "certificate", - "certificate_subject_line": "CN=, OU=, O=, L=, ST=, C=" + "certificate_subject_line": "CN=,OU=,O=,L=,ST=,C=" } ``` Replace the placeholder values `<>` with your client certificate's subject values. +{{}} +The `certificate_subject_line` must: + +- Follow [RFC 2253](https://www.rfc-editor.org/rfc/rfc2253) format. + +- List the attributes in reverse order, starting with the Common Name (`CN`). + +- Not contain spaces after the commas that separate attributes. + +- Exactly match the certificate's RFC 2253 subject. + +- Contain only one Organizational Unit (`OU`) value. +{{}} + ## Authenticate REST API requests To use the REST API with certificate-based authentication, you must provide a client certificate, signed by the trusted CA `mtls_trusted_ca`, and a private key. diff --git a/content/operate/rs/security/certificates/certificate-based-authentication.md b/content/operate/rs/security/certificates/certificate-based-authentication.md index ba6aa7b27b..931e310ef0 100644 --- a/content/operate/rs/security/certificates/certificate-based-authentication.md +++ b/content/operate/rs/security/certificates/certificate-based-authentication.md @@ -162,12 +162,26 @@ PUT /v1/cluster POST /v1/users { "auth_method": "certificate", - "certificate_subject_line": "CN=, OU=, O=, L=, ST=, C=" + "certificate_subject_line": "CN=,OU=,O=,L=,ST=,C=" } ``` Replace the placeholder values `<>` with your client certificate's subject values. + {{}} +The `certificate_subject_line` must: + +- Follow [RFC 2253](https://www.rfc-editor.org/rfc/rfc2253) format. + +- List the attributes in reverse order, starting with the Common Name (`CN`). + +- Not contain spaces after the commas that separate attributes. + +- Exactly match the certificate's RFC 2253 subject. + +- Contain only one Organizational Unit (`OU`) value. + {{}} + ### Authenticate REST API requests To use the REST API with certificate-based authentication, you must provide a client certificate, signed by the trusted CA `mtls_trusted_ca`, and a private key. @@ -186,18 +200,32 @@ To set up certificate-based authentication for databases: 1. Enable mutual TLS for the relevant databases. See [Enable TLS]({{}}) for detailed instructions. -1. When you [create new users]({{}}), include `"auth_method": "certificate"` and `certificate_subject_line` in the request body : +1. When you [create new users]({{}}), include `"auth_method": "certificate"` and `certificate_subject_line` in the request body: ```sh POST /v1/users { "auth_method": "certificate", - "certificate_subject_line": "CN=, OU=, O=, L=, ST=, C=" + "certificate_subject_line": "CN=,OU=,O=,L=,ST=,C=" } ``` Replace the placeholder values `<>` with your client certificate's subject values. + {{}} +The `certificate_subject_line` must: + +- Follow [RFC 2253](https://www.rfc-editor.org/rfc/rfc2253) format. + +- List the attributes in reverse order, starting with the Common Name (`CN`). + +- Not contain spaces after the commas that separate attributes. + +- Exactly match the certificate's RFC 2253 subject. + +- Contain only one Organizational Unit (`OU`) value. + {{}} + ### Authenticate database connections To connect to a database with certificate-based authentication, you must provide a client certificate, signed by a trusted CA, and a private key. The client certificate must either be one you previously added to the database to [enable mutual TLS]({{}}) (`authentication_ssl_client_certs` in the REST API), or be signed by one of these certificates.