Secure Mobile Access 12.4 Administration Guide

Configuring a PKI Authentication Server

You can set up a certificate server so that a user authenticates using a client certificate on his or her device. Digital certificate authentication can be used alone or in conjunction with another authentication method, such as RADIUS. (If you set up chained authentication and a digital certificate is one of the methods you use, it must be the first method; for more information, see Configuring Chained Authentication.)

Affinity servers should be used only for authentication servers that do not include full group search capabilities, such as RADIUS, RSA, and PKI servers.

  • If both CRL and OCSP are enabled for a CA certificate, only OCSP is used.

  • Fallback from CRL to OCSP or OCSP to CRL is not supported.

To configure a PKI authentication server

  1. In the AMC, navigate to System Configuration > Authentication Servers.

  2. Click New.

  3. Under Authentication directory, click Public key infrastructure (PKI).

    Digital certificate is automatically selected as the Credential type (this is the only possible value).

  4. Click Continue.

    The Edit Authentication Server page displays.

  5. In the Name field, type a name for the authentication server.

  6. Under Trusted CA certificates, optionally select the Trust intermediate CAs without verifying the entire chain checkbox. This allows a set of trusted intermediate signing authority certificates to be deployed in various sectors of the network (often by department or organizational unit). For more information, see About Intermediate Certificates.
  7. On the left is a list of All CA certificates used by the appliance. Specify one or more root certificates for establishing a trust relationship with the client device by selecting the checkbox to the left of a certificate and then clicking the >> button (a root certificate is one where the Subject and Issuer are the same). A client’s certificate will be trusted if it matches a root certificate listed in the Trusted CA certificates list.
  8. Under Advanced, in the Username attribute field, type the attribute used for single sign-on (for example, cn or uid).
  9. To use an OCSP responder to determine client certificate status, select the Use OCSP to verify client certificates checkbox. If selected, a user may use any access method (ExtraWeb or Connect Tunnel) to authenticate to a realm that uses this PKI authentication method.
  10. Select one of the following options for Use this OCSP responder:

    • System default – A manually configured OCSP responder has priority. The configured OCSP responder URL is shown here if configured. You can configure it by clicking the here link, which takes you to the OCSP page available from SSL Settings.
    • User certificate’s AIA extension – The user certificate is parsed to extract the URL of the OCSP responder. The Authority Information Access (AIA) certificate extension contains URL locations that provide the issuing CA’s certificate. The AIA extension can contain HTTP, FTP, LDAP, or FILE URLs.
    • CA certificate’s AIA extension – The CA certificate is parsed to extract the URL of the OCSP responder.
  11. Select the Allow certificate if responder is unavailable checkbox if the authentication should succeed in cases where an error occurs, an unknown status is returned, or the OCSP responder is not available.
  12. Select the Trust signing certificates in response checkbox to trust certificates in the OCSP response. This is enabled by default.

    You must import the OCSP response signing certificate for the CA certificate being used and enable OCSP response verification when importing it. The OCSP response signing certificate can be copied from the OCSP responder or server to a local management machine and then imported from the SSL Settings page while you are logged in to AMC.

  13. Select the Send nonce in request checkbox and Require nonce in response checkbox to guard against malicious replay attacks, in which a successful response is replayed to the client after the subject certificate is revoked.

  14. Click Save.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.