Secure Mobile Access 12.4 Administration Guide

Certificate Strategy

There are two types of certificates:

  • A commercial CA verifies your company’s identity, vouching for your identity by providing you with a certificate that the CA signs. A CA need not be commercial or third-party—a company can be its own CA. Commercial certificates are purchased from a CA such as Symantec (http://www.symantec.com/ssl-certificates), and are usually valid for one year.
  • With a self-signed SSL certificate, you are verifying your own identity. The associated private key data is encrypted using a password. A self-signed certificate can also be a wildcard certificate, allowing it to be used by multiple servers which share the same IP address and certificate, but have different FQDNs.

    Although this kind of certificate is secure, a self-signed certificate is not in the browser’s built-in list of CAs, so the user is prompted to accept it before each connection. There are a few ways to avoid this prompting:

    • Configure the Secure Mobile Access clients to use the certificate root file.

    • Add the self-signed certificate to the user’s list of Trusted Root Certificate Authorities in the Web browser.

    • Use a commercial CA, which is widely trusted by default.

When deciding which type of certificate to use for the servers, consider who will be connecting to the appliance and how they will use resources on your network:

  • If business partners are connecting to Web resources through the appliance, they will likely want some assurance of your identity before performing a transaction or providing confidential information. In this case, you would probably want to obtain a certificate from a commercial CA for the appliance.

    On the other hand, employees connecting to Web resources may trust a self-signed certificate. Even then, you may want to obtain a third-party certificate so that users are not prompted to accept a self-signed certificate each time they connect.

  • To accommodate users who connect to the appliance from small form factor devices, configure the appliance with a certificate from a leading CA (such as VeriSign), or import the root certificate from your CA to your users’ small form factor devices.

When the appliance is configured with a certificate from a CA that is not well known or one that is self-signed, small form factor device users may see an error message and be unable to log in. For more information on small form factor devices, see WorkPlace and Small Form Factor Devices.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.