After you upload a certificate file and enable SSL Client Certificate Authentication, you may need to disable authentication to troubleshoot an issue or to migrate to a new authentication method.  Or, you may want to remove or replace you current certificate file.

Disabling SSL Client Certificate Authentication

After you disable SSL Client Certificate Authentication, you must reset all Admin, Primary Contributor, and Read Only access user passwords so that users can log in with their ThreatQ username and password.  Maintenance Account users do not require a password reset and can continue to use their current password.

1. Access the ThreatQ host command line via SSH or console.
2. Run the following command:
   sudo /usr/local/bin/tqadmin configure
   The TQadmin configure command displays a series of prompts. 
3. To disable SSL Client Certification, populate the following:
    

   Prompt	Description
   Do you want to enable CAC/mTLS? (yes/no):	Enter no.

4. When prompted, enter your YUM username and password.
5. Run the following command to save and apply your changes:
   sudo /usr/local/bin/tqadmin reapply
6. After your changes are saved, the CAC/PV SSL tab in the User Management page displays a status of Currently Disabled.

Replacing a Certificate File

After you replace a certificate file, you must either reset all Admin, Primary Contributor, and Read Only access user passwords so that users can log in and associate a new certificate with their user profile or add the new certificate fingerprints to each user profile.  Maintenance Account users do not require a password reset and can continue to use their current password.  However, they will also need to select a new certificate to log in using SSL Client Certificate Authentication.

The process for replacing a CA certificate is the same as the process for Configuring SSL Client Certificate Authentication.

After you upload a certificate file and enable SSL Client Certificate Authentication, you may need to disable authentication to troubleshoot an issue or to migrate to a new authentication method.  Or, you may want to remove or replace you current certificate file.

Only Administrative or Maintenance logins have access to the CAC/PIV SSL tab in the User Management page which is used to manage SSL Client Certificate Authentication.

Disabling SSL Client Certificate Authentication

After you disable SSL Client Certificate Authentication, you must reset all Admin, Primary Contributor, and Read Only access user passwords so that users can log in with their ThreatQ username and password.  Maintenance Account users do not require a password reset and can continue to use their current password.

1. From the User Management page, click the CAC/PIV SSL tab.
   
2. Click the Disabled/Enabled toggle to change the status to Disabled.
   The Are You Sure? window prompts you to confirm the change.
3. Click the Confirm button.
   Even though SSL Client Certificate Authentication is disabled, the file that contains the certificate information is not deleted.  This makes it easier for you to re-enable authentication.
4. Reset user passwords to allow users to log in with their ThreatQ username/password.

Removing a Certificate File

After you remove the certificate file, you must reset all Admin, Primary Contributor, and Read Only access user passwords so that users can log in with their ThreatQ username and password.  Maintenance Account users do not require a password reset and can continue to use their current password.

1. From the User Management page, click the CAC/PIV SSL tab.
2. Click the Remove button.
   The Are You Sure? window prompts you to confirm the change.
3. Click the Remove button.
   SSL Client Certificate Authentication is disabled and all information is deleted from the certificate file.
4. Rest user passwords to allow users to log in with their ThreatQ username/password.

Replacing a Certificate File

After you replace a certificate file, you must either reset all Admin, Primary Contributor, and Read Only access user passwords so that users can log in and associate a new certificate with their user profile or add the new certificate fingerprints to each user profile.  Maintenance Account users do not require a password reset and can continue to use their current password.  However, they will also need to select a new certificate to log in using SSL Client Certificate Authentication.

1. From the User Management page, click the CAC/PIV SSL tab.
2. Click the Replace button.
   The Are You Sure? window prompts you to confirm the change.
   
3. Click the Confirm button.
4. Upload the new certificate file using one of the following methods:
   • Drag and drop the file into the dialog box.
   • Select the click to browse link to locate the file on your local machine.
5. After you upload the file, the new certificate's serial number and expiration date is displayed
6. Use one of the following methods to add new certificate fingerprints for users:
   • Reset user passwords so that they can add their own certificate fingerprint during their next login.  
   • Maintenance or Administrative users can use the System Users tab to add the new certificate fingerprint to user profiles.