CA ITCM Security Features › Authentication › Basic Host Identity Certificates

Basic Host Identity Certificates

Every CA ITCM node has a certificate that provides Basic Host Identity (BHI) installed by default. Other certificates for specialized purposes are installed with the services that require them (see "Current Certificates"). The installation of CA IT Client Manager comes with a default standard certificate signed by a CA ITCM root certificate. This certificate is installed on every CA ITCM node within the enterprise.

We recommend that end users should plan on creating their own root certificate, Basic Host Identity (BHI) certificates, and the application-specific certificates. See "How You Introduce Your Own X.509 Certificates into the Install Image" for information on replacing the default certificates with end user-specific certificates.

When creating new BHI certificates, there are three primary paradigms:

• Create a single host identity certificate that is used on all CA ITCM nodes within the enterprise. This is the simplest solution, as the custom install image will only have to be generated once to create a tailored package.
• Create a unique host identity certificate for each individual node in the DSM enterprise. This is the most complex solution. The DN assigned to each node should be unique and reflect the identity of the host machine. A fully qualified host name is usually suitable for this purpose. A custom installation image will be required to install the appropriate certificate file onto the target machine.
• A hybrid of the two paradigms above. Create a single host identity certificate for use on the majority of the CA ITCM nodes. Create tailored identity certificates for use on DSM scalability server and manager nodes. When a requirement for a tailored certificate is identified, issue a new certificate and install it on the specified node. This is the most flexible solution. Important nodes in the enterprise are more effectively identified and protected.