Symantec Access Management

  • Private Community

  • 1.  What type of cert(usage) is needed for CA Directory to use SSL?

    Posted Dec 08, 2015 09:34 AM

    What type of cert(usage) is needed for CA Directory to use SSL?

     

    I understand that certs are created for special usage, I have read about Usage Extension Flags.

     

    We are trying to use a cert from a private Certificate Authority that is not quite like a self signed CERT and it is also not a commercial CERT, it is somewhere in between.

     

    We have been told to "get a CERT", unfortunately that is too generic.  We need to know what CA Directory requires within the CERT for it to work.  Is it a generic Server CERT?  Is it an Authentication CERT?

     

    Any help would be appreciated.

     

    Doug



  • 2.  Re: What type of cert(usage) is needed for CA Directory to use SSL?

    Posted Dec 08, 2015 10:32 AM

    Hi Doug,

     

    I believe it uses the Server Cert for it to be configured along with the root cert.

     

    We add the server certificate to the certificate database.

     

    Below link should give more details:

     

    CA SiteMinder® Integrated Documents 12.52

     

    Regards,

    Prakhar



  • 3.  Re: What type of cert(usage) is needed for CA Directory to use SSL?

    Posted Dec 08, 2015 09:17 PM

    As far as certificate usage goes the DSA personality certificate $DXHOME/config/ssld/personalities/{dsa_name}.pem requires for following:

     

    Key Usages: DIGITAL_SIGNATURE, KEY_AGREEMENT, KEY_ENCIPHERMENT

    Certificate Usages: SSL_CLIENT, SSL_SERVER

     

    Notes

    * The client certificate usage is required so that two DSAs can communicate with each other. In this case the the DSAs authenticate wit each other using certificate based authentication.

    * The SubjectDN of the certificate for each DSA *must* but the same as the "dsa-name" field from the knowledge file for each DSA you are generating a certificate for, otherwise, DSAs will not be able to communicate.

    * CA Directory ships with a certificate generation tool, running "dxcertgen certreq" will create a certificate signing request based on the DSA configuration. A certificate authority can then be used to generate and sign a certificate that can then be imported using "dxcertgen certmerge" where the certificate is merged with the private key created when the CSR was generated to for a personality PEM file

    * The public certificate for the root CA (and intermediate certificates) should be added imported into $DXHOME/config/ssld/trusted.pem.