| |
The Multi CA feature enhances authentication to support alternate Certificate Authorities (CAs) during mutual SSL authentication. The Multi CA feature allows the iChain proxy to accept user certificates that are signed by a different CA than the CA that signed the iChain server certificate.
For example, if your iChain server certificate is signed by a VeriSign CA, then using the Multi CA feature could allow users with certificates signed by a Baltimore CA or an Entrust CA to access your system (the Baltimore or Entrust certificates would need to be installed into your LDAP server tree).
To configure Multi CAs, you need to place the alternate CA certificates into your LDAP tree, configure the iChain proxy to use a specified trusted root container, and create new iChain server certificates, as described below in Task One: Place Alternate CA Certificates Into Your LDAP Tree, Task Two: Configure the iChain Proxy Server to Use a Specified Trusted Root, and Task Three: Create New iChain Server Certificates.
To place the alternate CA certificates into your LDAP tree:
From ConsoleOne, select the Security object located at the root of your LDAP tree.
Select File > New > New Object
or
Click the New Object icon.
Select NDSPKI:Trusted Root > click OK.
Define a name for the trusted root container (for example, iChain Roots) > click OK.
Select the object you just created (for example, the iChain Roots object).
Select File > New > New Object
or
Click the New Object icon.
Select NDSPKI:Trusted Root Object > click OK.
Define a name for the trusted root object (for example, Baltimore CA) > click OK.
Select the Read from File button > browse your system for the trusted root certificate > import it into the dialog box
or
Paste your trusted root certificate into the dialog box. To use this option, you must first open the trusted root certificate in a text editor or some other program and copy the contents to the clipboard. Then right-click inside the box and select Paste. Your certificate will be inserted into the dialog box.
Click Finish.
If you want to add more trusted root certificates, repeat Step 5 through Step 10 for each certificate.
To configure the iChain proxy to use a specified trusted root container:
From ConsoleOne, click the Other tab on the iChain Security object (ISO) you previously created for this configuration.
Click Add.
Click iChainTrustedRootContainer > click OK.
Using the Browse button, browse to the trusted root container previously created (see Task One: Place Alternate CA Certificates Into Your LDAP Tree) > click OK.
or
Enter the complete name of the previously created trusted root container (for example, iChain Roots.Security).
Click OK.
Only iChain server certificates created or restored after Task One: Place Alternate CA Certificates Into Your LDAP Tree and Task Two: Configure the iChain Proxy Server to Use a Specified Trusted Root will have the Multi CA feature enabled. Therefore, you need to perform one of the following tasks to enable Multi CA support:
or
| |