Trust a client

Add a certificate to known_clients/ so the server accepts connections from that identity (or any identity signed by that CA).

Trust a CA (recommended)

Adding a CA certificate trusts all end-entity certificates it signs, including future ones. This is the typical choice for granting access to an org's users:

# Copy the client org's CA cert to your known_clients
cp /path/to/client_ca.pem \
   $VIRTUAL_ENV/etc/certified/known_clients/client-org.crt

Or via the CLI:

certified add-client client-org /path/to/client_ca.pem \
    --config $VIRTUAL_ENV/etc/certified

Trust a specific end-entity

Warning

TLS validation does not permit trusting self-signed end-entity certificates directly. To trust a specific person, add their CA cert instead.

Using the introduction workflow instead

For cross-org access, the introduce / add-intro workflow is easier: the signer runs introduce and the subject runs add-intro, which installs the signed cert on the subject's side. On the server side, the server already trusts all certs signed by its own CA; to additionally trust an external client, add that client's CA:

certified add-client external-org external_ca.pem \
    --config $VIRTUAL_ENV/etc/certified

Authorisation

add-client controls authentication — who is allowed to connect. What a connected client is permitted to do is handled separately by the biscuit layer. See Authorization Model.