4.6 Trusted Root Object Tasks

4.6.1 Creating a Trusted Root Container

This task is described in Creating a Trusted Root Container.

4.6.2 Creating a Trusted Root Object

This task is described in Creating a Trusted Root Object.

4.6.3 Viewing a Trusted Root Object's Properties

In addition to the eDirectory rights and properties that are viewable with any eDirectory object, you can also view properties specific to the Trusted Root object, including the issuer, the certificate status, and the validation period.

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Directory Administration > Modify Object.

  4. Browse to and click the Trusted Root object you want to view.

  5. Click OK.

  6. To view the certificate chain, click on the plus sign (+) in front of the certificate’s nickname to expand the view.

  7. Click the nickname of the certificate to view its details.

  8. Click Cancel.

4.6.4 Replacing a Trusted Root Certificate

This task allows you to replace a Trusted Root Certificate that is stored in the Trusted Root object. This task should be performed if the Trusted Root Certificate has expired.

You can replace a Trusted Root Certificate from the Trusted Root object's property page.

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Directory Administration > Modify Object.

  4. Browse to and click the Trusted Root object you want to replace.

  5. Click OK.

  6. Select the certificate, then click Replace.

  7. Browse for and select the new Trusted Root certificate.

  8. Click OK.

4.6.5 Validating a Trusted Root Object

If you suspect a problem with a certificate or think that it might no longer be valid, you can easily validate the certificate by using iManager. Any certificate in the eDirectory tree can be validated, including certificates issued by external CAs.

The certificate validation process includes several checks of the data in the certificate as well as the data in the certificate chain. A certificate chain is composed of a root CA certificate and, optionally, the certificates of one or more intermediate CAs.

A result of Valid means that all certificates in the certificate chain were found to be valid. Certificates are considered valid if they pass a predefined set of criteria including whether the current time is within the validity period of the certificate, whether it has not been revoked, and whether it has been signed by a CA that is trusted. Only those certificates with a CRL distribution point extension or an OCSP AIA extension are checked for revocation.

A result of Invalid means that one or more certificates in the certificate chain were found to be invalid or their validity could not be determined. Additional information is provided in these cases about which certificate is considered invalid and why. Click Help for more information about the reason.

To validate a Trusted Root certificate:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Directory Administration > Modify Object.

  4. Browse to and click the Trusted Root object you want to validate.

  5. Click OK.

  6. Select the certificate, then click Validate.

    The status of the certificate is provided in the Certificate Status field. If the certificate is not valid, the reason is given.

NOTE:If the certificate in the object is not self-signed, its certificate chain must be in the Trusted Roots container in the Security container (CN=Trusted Roots.CN=Security) for the validation to succeed. Typically, the certificate chain consists of a single, root-level CA or it consists of an Intermediate CA and a root-level CA. The name of the Trusted Roots container must be Trusted Roots and each certificate in the chain must be stored in its own Trusted Root object. For instructions on how to create a Trusted Roots container and Trusted Root objects, see Creating a Trusted Root Container and Creating a Trusted Root Object.

4.6.6 Revoking a Trusted Root Certificate

You might find it necessary to revoke a certificate if the key or the CA becomes compromised, if the certificate has been superseded by another certificate, if the certificate is removed from the CRL, cessation of operation, etc.

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click Directory Administration > Modify Object.

  4. Browse to and click the Trusted Root object you want to modify.

  5. Click OK.

  6. Select the certificate, then click Revoke.

    This starts the Revoke Certificate Wizard. Follow the prompts to revoke the certificate.

  7. Click Finish.