When you generate an NBA master certificate, two certificates are actually generated, one trusted and one untrusted.
The need for a trusted master certificate is self-evident; it ensures that clients will trust certificates that the NBA generates.
But why generate an untrusted certificate? Because the NBA must sometimes create a certificate that mimics the untrusted, or revoked, certificate provided by a real web site. That is, the NBA sometimes needs to create a certificate that a client’s browser cannot trust. The NBA does this to force the browser to display a certificate error.
The NBA then uses the untrusted, or revoked, master certificate to sign certificates from SSL servers that the Network Appliance cannot trust. These include certificate revocation detection and other certificate signing errors. For example, the NBA uses the untrusted certificate to sign the certificate created when the NBA cannot determine a chain of trust from the certificate provided by a web site to a well known root certificate, or when a web site’s certificate matches one in the list of revoked certificates on the NBA appliance.
If required, you can install the untrusted master certificate to your clients, adding it to an untrusted certificate list. This forces the client to display additional warnings to the user. However, note that such behavior depends on the client and browser.
Important: You must not install this untrusted or revoked master certificate in a browser’s Trusted Root Certificates list.
|
Copyright © 2014 CA.
All rights reserved.
|
|