Secure Mobile Access 12.4 Administration Guide

About Intermediate Certificates

You can configure an authentication server to trust intermediate CAs without verifying the entire chain. This provides benefits, such as distributing certificate management among several signing authorities, several of whom might be remote to the root CA server and therefore would otherwise be unable to issue certificates, and adds security because the compromise of any single signing authority does not compromise the entire network.

To configure trusted intermediate certificates, see Configuring a PKI Authentication Server.

For example, you could create a root certificate signing authority on a system that is not connected to the corporate network. You can then issue a set of trusted intermediate signing authority certificates to be deployed in various sectors of the network (often by department or organizational unit). For the VPN, this is most often done to distribute machine or personal certificates to client systems.

The other alternative is to obtain a signing certificate from a certificate authority such as VeriSign or Thawte. In this case, your main CA is actually an intermediate CA itself.

By SSL rules, the root CA certificate must be accessible in order to validate the entire chain. However, the appliance makes no distinction between importing a CA certificate for trust and importing a CA certificate to validate a certificate chain for the intermediate CA that you want the appliance to trust. If no options are selected when a CA certificate is imported, the CA will only be used to validate certificate chains. (The options are the connection types the certificate is used to secure: Authentication server connections (LDAPS), Web server connections (HTTPS), and Device profiling (End Point Control)). Any CA certificate used only to validate certificate chains is not offered as a trusted signer during client certificate authentication or EPC certificate enforcement.

When an end user presents a client certificate signed by an intermediate CA, assuming the appliance trusts the signing authority, the user is allowed to authenticate and access resources normally.

When an end user presents a client certificate issued by a root CA of the trusted intermediate CA, unless the administrator has also imported the root CA for trust purposes, the end user authentication attempt fails due to lack of valid and trusted certificate.

If a client presents a certificate that is signed by a CA that exists only for chain validation, the certificate will be rejected. This results in an authentication failure or a failure for certificate authentication and in a failure to match the device profile for certificate EPC.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.