About Intermediate Certificates
You can configure an authentication server to trust intermediate CAs without verifying the entire chain. This
provides benefits, such as distributing certificate management among several signing authorities, several of
whom might be remote to the root CA server and therefore would otherwise be unable to issue certificates, and
adds security because the compromise of any single signing authority does not compromise the entire network.
To configure trusted intermediate certificates, see Configuring a PKI Authentication Server.
For example, you could create a root certificate signing authority on a system that is not connected to the
corporate network. You can then issue a set of trusted intermediate signing authority certificates to be deployed
in various sectors of the network (often by department or organizational unit). For the VPN, this is most often
done to distribute machine or personal certificates to client systems.
The other alternative is to obtain a signing certificate from a certificate authority such as VeriSign or Thawte. In
this case, your main CA is actually an intermediate CA itself.
By SSL rules, the root CA certificate must be accessible in order to validate the entire chain. However, the
appliance makes no distinction between importing a CA certificate for trust and importing a CA certificate to
validate a certificate chain for the intermediate CA that you want the appliance to trust. If no options are
selected when a CA certificate is imported, the CA will only be used to validate certificate chains. (The options
are the connection types the certificate is used to secure: Authentication server connections (LDAPS), Web
server connections (HTTPS), and Device profiling (End Point Control)). Any CA certificate used only to validate
certificate chains is not offered as a trusted signer during client certificate authentication or EPC certificate
When an end user presents a client certificate signed by an intermediate CA, assuming the appliance trusts the
signing authority, the user is allowed to authenticate and access resources normally.
When an end user presents a client certificate issued by a root CA of the trusted intermediate CA, unless the
administrator has also imported the root CA for trust purposes, the end user authentication attempt fails due to
lack of valid and trusted certificate.
If a client presents a certificate that is signed by a CA that exists only for chain validation, the certificate will be
rejected. This results in an authentication failure or a failure for certificate authentication and in a failure to
match the device profile for certificate EPC.
Was This Article Helpful?
Help us to improve our support portal