document pomerium-cli client cert functionality #1001
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for pomerium-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
kenjenkins
force-pushed
the
kenjenkins/cli-client-certs
branch
from
621a8ef to
60180bd
Compare
ZPain8464
approved these changes
Jan 25, 2024
|
|
||
| This will search the Keychain (on macOS) or the Windows certificate store (on Windows) for a client certificate and private key, based on the trusted CA names advertised by Pomerium in the TLS handshake. | ||
|
|
||
| If you need to select between multiple matching client certificates, you can additionally filter based on the Distinguished Name of the certificate's Issuer and/or the certificate Subject. |
There was a problem hiding this comment.
Suggested change
| If you need to select between multiple matching client certificates, you can additionally filter based on the Distinguished Name of the certificate's Issuer and/or the certificate Subject. | |
| If you need to select between multiple matching client certificates, you can additionally filter based on the **Distinguished Name** of the certificate's Issuer and/or the certificate **Subject**. |
There was a problem hiding this comment.
I'd prefer not to show these terms in bold.
|
|
||
| If you need to select between multiple matching client certificates, you can additionally filter based on the Distinguished Name of the certificate's Issuer and/or the certificate Subject. | ||
|
|
||
| For example, to filter for a certificate directly issued by a CA with the Common Name "My Trusted CA": |
There was a problem hiding this comment.
Suggested change
| For example, to filter for a certificate directly issued by a CA with the Common Name "My Trusted CA": | |
| For example, to filter for a certificate directly issued by a CA with the **Common Name** "My Trusted CA": |
| pomerium-cli tcp --client-cert-from-store --client-cert-issuer "CN=My Trusted CA" redis.corp.example.com:6379 | ||
| ``` | ||
|
|
||
| Or, to filter for a certificate whose Subject contains the Organizational Unit Name "My Department": |
There was a problem hiding this comment.
Suggested change
| Or, to filter for a certificate whose Subject contains the Organizational Unit Name "My Department": | |
| Or, to filter for a certificate whose Subject contains the **Organizational Unit Name** "My Department": |
|
|
||
| The certificate name filter syntax is `attribute=value`. A name filter can accept only one name attribute. The value must be an exact match (not a substring match). Make sure to quote name filters as appropriate for your shell. | ||
|
|
||
| For example, `--client-cert-issuer "CN=My Trusted CA"` would filter for a certificate directly issued by a CA with the Common Name "My Trusted CA". |
There was a problem hiding this comment.
Suggested change
| For example, `--client-cert-issuer "CN=My Trusted CA"` would filter for a certificate directly issued by a CA with the Common Name "My Trusted CA". | |
| For example, `--client-cert-issuer "CN=My Trusted CA"` would filter for a certificate directly issued by a CA with the **Common Name** "My Trusted CA". |
|
|
||
| For example, `--client-cert-issuer "CN=My Trusted CA"` would filter for a certificate directly issued by a CA with the Common Name "My Trusted CA". | ||
|
|
||
| Or, `--client-cert-subject "OU=My Department"` would filter for a certificate whose Subject name contains the Organizational Unit Name "My Department". |
There was a problem hiding this comment.
Suggested change
| Or, `--client-cert-subject "OU=My Department"` would filter for a certificate whose Subject name contains the Organizational Unit Name "My Department". | |
| Or, `--client-cert-subject "OU=My Department"` would filter for a certificate whose Subject name contains the **Organizational Unit Name** "My Department". |
Co-authored-by: zachary painter <[email protected]>
|
Now that this new functionality has been released (in pomerium-cli v0.23.0), I think we can go ahead and merge this. |
backport-actions-token bot
pushed a commit
that referenced
this pull request
Apr 23, 2024
Add a section to the main "TCP over HTTP Support" page to mention the client cert options provided by pomerium-cli, and add the new certificate store flags to the table on the reference page. --------- Co-authored-by: zachary painter <[email protected]>
kenjenkins
added a commit
that referenced
this pull request
Apr 23, 2024
document pomerium-cli client cert functionality (#1001) Add a section to the main "TCP over HTTP Support" page to mention the client cert options provided by pomerium-cli, and add the new certificate store flags to the table on the reference page. --------- Co-authored-by: Kenneth Jenkins <[email protected]> Co-authored-by: zachary painter <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a section to the main "TCP over HTTP Support" page to mention the client cert options provided by
pomerium-cli, and add the new certificate store flags to the table on the reference page.Resolves #995.
We may also want to update the mention of client certificate within https://www.pomerium.com/docs/capabilities/tcp/client#advanced-settings, but I think that can be done separately (after the Desktop Client UI changes are merged).