Defining a CA trust list for an application
Applications that support the use of certificates for client authentication during a Secure Sockets Layer (SSL) session must determine whether to accept a certificate as valid proof of identity. One of the criteria that an application uses for authenticating a certificate is whether the application trusts the Certificate Authority (CA) that issued the certificate.
You can use Digital Certificate Manager (DCM) to define which CAs an application can trust when performing client authentication for certificates. You manage the CAs that an application trusts through a CA trust list.
Before you can define a CA trust list for an application, several conditions must be met:
- The application must support the use of certificates for client authentication.
- The definition for the application must specify that the application use a CA trust list.
If the definition for an application specifies that the application use a CA trust list, define the list before the application can perform certificate client authentication successfully. This ensures that the application can validate only those certificates from CAs that you specify as trusted. If users or a client application present a certificate from a CA that is not specified as trusted in the CA trust list, the application will not accept it as a basis for valid authentication.
When you add a CA to the trust list for an application, ensure that the CA is enabled as well.
To define a CA trust list for an application, follow these steps:
- Start DCM. Refer to Starting DCM.
- Click Select a Certificate Store and select *SYSTEM as the certificate store to open.
If you have questions about how to complete a specific form in this guided task, select the question mark (?) at the top of the page to access the online help.
- When the Certificate Store and Password page displays, provide the password that you specified for the certificate store when you created it and click Continue.
- In the navigation frame, select Manage Applications to display a list of tasks.
- From the task list, select Define CA trust list.
- Select the type of application (server or client) for which you want to define the list and click Continue.
- Select an application from the list and click Continue to display a list of CA certificates that you use to define the trust list.
- Select the CAs that the application will trust and click OK. DCM displays a message to confirm your trust list selections.
You can either select individual CAs from the list or you can specify that the application will trust all or trust none of the CAs in the list. Also, you can view or validate the CA certificate before you add it to the trust list.
Parent topic:
Managing applications in DCMRelated concepts
Digital certificates for VPN connections