5.4 Using Multiple Certificate Authorities

The Multi CA feature enhances authentication to support alternate Certificate Authorities (CAs) during mutual SSL authentication. The Multi CA feature allows the iChain proxy to accept user certificates that are signed by a different CA than the CA that signed the iChain server certificate.

For example, if your iChain server certificate is signed by a VeriSign CA, then using the Multi CA feature could allow users with certificates signed by a Baltimore CA or an Entrust* CA to access your system (the Baltimore or Entrust certificates would need to be installed into your LDAP server tree).

5.4.1 Configuring Multi CAs

To configure Multi CAs, you need to place the alternate CA certificates into your LDAP tree, then configure the iChain proxy to use a specified trusted root container, as described below in Placing Alternate CA Certificates Into Your LDAP Tree, and Configuring the iChain Proxy Server to Use a Specified Trusted Root.

Placing Alternate CA Certificates Into Your LDAP Tree

  1. From ConsoleOne, select the Security object located at the root of your LDAP tree.

  2. Select File > New > New Object

    or

    Click the New Object icon.

  3. Select NDSPKI:Trusted Root, then click OK.

  4. Define a name for the trusted root container (for example, iChain Roots), then click OK.

  5. Select the object you just created (for example, the iChain Roots object).

  6. Select File > New > New Object

    or

    Click the New Object icon.

  7. Select NDSPKI:Trusted Root Object, then click OK.

  8. Define a name for the trusted root object (for example, Baltimore CA), then click OK.

  9. Click the Read from File button, browse your system for the trusted root certificate, then import it into the dialog box

    or

    Paste your trusted root certificate into the dialog box.

    To use this option, you must first open the trusted root certificate in a text editor or some other program and copy the contents to the clipboard. Then paste the contents in the box.

  10. Click Finish.

    If you want to add more trusted root certificates, repeat Step 5 through Step 10 for each certificate.

Configuring the iChain Proxy Server to Use a Specified Trusted Root

  1. From ConsoleOne, click the Trusted Root Container tab on the iChain Security object (ISO) you previously created for this configuration.

  2. Using the Browse button, browse to the trusted root container previously created (see Placing Alternate CA Certificates Into Your LDAP Tree), then click OK.

    or

    Specify the complete name of the previously created trusted root container (for example, iChain Roots.Security).

  3. Click OK.

Define the Location of the Trusted Root Container for all Trusted Roots

This option lets you establish the location of the Trusted Root container where all the trusted roots are stored. You normally configure this setting at the ISO object level, but this set command provides the same configuration option from the iChain CLI. If you get an error when setting up mutual authentication or client authentication, you can use this option to resolve the issue.

  1. Open the Command Line interface.

  2. Set the following parameter to the correct context:

    set authentication mutual mutual trustedrootfile = <trusted_root_container>

  3. Apply the option.