CA SiteMinder® Federation Standalone Guide › Key and Certificate Management › Certificate Authority (CA) Certificate Usage

Certificate Authority (CA) Certificate Usage

The federation system uses Certificate Authority certificates to verify the following items:

• Whether an SSL server certificate for an SSL connection that secures the SAML HTTP-Artifact back channel is trusted.
• For HTTP-Artifact single sign-on, secure the back channel with an SSL connection. The embedded web server for the federation system can verify that the SSL connection is secured by a trusted certificate by validating the certificate of the Certificate Authority. This certificate must be stored in the certificate data store.
• Whether a certificate revocation list is valid.

  CRLs are acquired from a Certificate Authority. The certificate of the corresponding CA is required to validate the CRL before it can be trusted. The CRL is stored in the data store for use at runtime.

A default set of common root and intermediate CA certificates are shipped with the product for these purposes.

Import a CA Certificate

A set of common root and intermediate CAs are included with the product. To use CA certificates that are not in the certificate data store, import them.

Any certificate that you import is treated as a CA certificate. The exceptions are self-signed certificates:

• If the system identifies a V3 self-signed certificate as a non-CA certificate, the certificate is treated as a trusted certificate. This behavior occurs even though you initiated the import from the Import CA Certificate dialog.
• If the system identifies a V1 self-signed certificate, the certificate is treated as a CA certificate.

Note: If you are importing a root CA certificate, import all root CA certificates in the chain if they are part of a trust chain.

To import a CA certificate

1. Log in to the Administrative UI.
2. Select Certs & Keys, Authorities.

   The Certificate Authorities List displays.

3. Click Import New.

   The Import CA Certificate dialog displays.

   Note: Click Help for a description of fields, controls, and their respective requirements.

4. Follow the wizard to import a new entry.
5. At the Confirm step, review the certificate information and click Finish.

The CA certificate is imported into the certificate data store. The change takes place directly after the import is complete.

Important! You cannot delete a CA certificate that is part of a trust chain for other certificates in use on the system. If you try to delete a CA certificate in use, an error message states that the certificate cannot be deleted.

Troubleshoot Certificate Signature Verification for Back Channel Communication

Symptom:

HTTP-Artifact is the profile in use for single sign-on. The asserting party is communicating to the relying party over an SSL back channel. The relying party must verify the signature of the server certificate at the asserting party to communicate over the SSL back channel.

The following error is logged for a failure to verify the signature of the server certificate:

[Dispatcher object thrown unknown exception while processing the request message. Message: Certificate not verified..]

Solution:

The relying party must import the root CA certificate into the certificate data store. This certificate is required to verify the signature of the server certificate at the asserting party. For verification, import the root CA that signed the server certificate.

Verify the following information about the CA certificate that is imported for verification:

• Does the root CA certificate have the same issuer and subject DN? If not, the certificate is an intermediary root CA. Import all root CA certificates in the trusted chain.
• Check that the issuer of the asserting party server certificate matches the subject and issuer of the root CA you have imported.