Secure Mobile Access 12.4 Administration Guide

Importing CA Certificates

If the appliance is not configured with the necessary CA certificate, you must obtain a copy and import it to the appliance using AMC. The procedure is the same, whether the certificate will be used to secure connections to back-end resources, or to authenticate users by means of a client certificate.

The new certificate appears in the alphabetical list on the CA Certificates page. When you upload a CA certificate for use with client certificate authentication (and you apply the change), network services are automatically restarted and user connections are terminated, forcing users to reauthenticate. You may want to schedule the change during off-peak hours.

  • If the certificate is being used to secure authentication server connections, check to see that the appropriate LDAP over SSL or Active Directory over SSL settings are enabled on the Configure Authentication Server page in AMC.
  • By default, the Web proxy service is configured to verify the root certificate presented by back-end HTTPS Web servers. This important security check helps ensure that you can trust the identity of the back-end server. See Configuring the Web Proxy Service.
  • If you do not want to trust a CA listed on the CA Certificates page, select the checkbox next to it, and then click Delete.
  • When setting up devices profiles, avoid checking for client certificates within the same zone more than three times. If there are multiple EPC checks for client certificates within the same zone, users may see an error message (An error was encountered encoding data to be sent to the Logon Server).

To import a CA certificate to the appliance

  1. Obtain the trusted root certificate or intermediary public certificate from the CA. Most external commercial CAs provide the certificates on their Web sites; if the CA is run by your company, check with the server administrator.

  2. In the AMC, navigate to System Configuration > SSL Settings.

  3. In the CA Certificates section, click Edit on the NNN certificates line.

  4. Click the + (New) icon.

    The Import CA Certificate page displays.

  5. Do one of the following:

    • If the certificate is in binary format:

      1. Select Certificate file.

      2. Click Browse and then upload the certificate reply from your local file system (the computer from which you’ve logged in to AMC).

    • If the certificate is in base-64 encoded (PEM) text format:

      1. Select Certificate text.

      2. Paste the certificate into the field.

        Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE banners.

  6. Specify the connection types this certificate will be used to secure:

    Connection types for certificates
    Connection typeDescription
    Authentication server connections (LDAPS)Securing your LDAP or Active Directory (AD) connection with SSL enhances security by preventing attempts to impersonate the LDAP or AD server. To configure LDAP or AD over SSL, you must add the root certificate for the CA that granted your LDAP or AD certificate to the SSL trusted roots file.
    Web server connections (HTTPS)

    If you have a back-end Web resource that is secured with SSL (that is, it uses HTTPS instead of HTTP), configure the Web proxy service to verify the root certificate presented by the back-end server. This important security check will help ensure that you can trust the identity of the back-end server. See Configuring the Web Proxy Service for details.

    If the back-end server’s root certificate is not pre-installed on the appliance, you must obtain a copy and import it in AMC.

    Device profiling (End Point Control)

    EPC can be used to verify the validity of certificates submitted by users who connect to the appliance. If a client certificate is used in a device profile to classify users into an EPC zone, the appliance must be configured with the root or intermediary certificates for the CA that issued the client certificate to your users.

    When the appliance interrogates the user’s computer to determine if the specified certificate is present, it can be configured to search just the system store (HKLM\SOFTWARE\Microsoft\SystemCertificates), or also include the user store (HKCU\Software\Microsoft\SystemCertificates).

    OCSP response verificationThe OCSP response signing certificate is used to verify a response from a configured OCSP responder. When importing the OCSP response signing certificate, enable OCSP response verification. This is a different certificate than the CA certificate for the OCSP responder or server itself, which is used in the PKI Authentication server.
  7. Click Import.

    The CA Certificates page displays and displays a confirmation message.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.