Adding a certificate authority

An external user certificate authority (CA) can be entered for PKI authentication.

About this task

Note: Every CA is associated with a particular domain of authority that is called a realm. A CA belonging to one realm is not trusted to issue certificates for devices or users in other realms to minimize damage when a CA is compromised. The security of users or devices that belong to other realms is not impacted.

Within the system, all devices must belong to a realm that uses the reserved name network. When a CA is selected to be used for issuing device certificates, the CA is automatically associated with the network realm. When a CA is used only for issuing user certificates, the name of the realm is arbitrary and up to the Administrator to select.

Procedure

  1. Select the Device or User Certificates to be entered.
    For a User CA, also enter the Realm, which must be provided by group administrator. A Realm allows multiple independent logical PKIs and provides for an extra layer of security.
  2. Paste the PEM-encoded X.509 certificate into the prompt field and click Save / Finish.

    Two check boxes are seen here. One allows the CA to issue certificates for all devices (Slicestor®, Accesser®, and Manager devices). The second check box allows the CA to issue certificates for users.

    Use format that is shown here.
    
    -----BEGIN CERTIFICATE-----
    MIICgjCCAeugAwIBAgIBBDANBgkqhkiG9w0BAQQFADBTMQswCQYDVQQGEwJVUzEc
    MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBT
    . . . .
    zfmpTMANmvPMZWnmJXbMWbfWVMMdzZmsGd20hdXgPfxiIKeES1hl8eL5lSE/9dR+
    WB5Hh1Q+WKG1tfgq73HnvMP2sUlG4tega+VWeponmHxGYhTnyfxuAxJ5gDgdSIKN
    /Bf+KpYrtWKmpj29f5JZzVoqgrI3eQ==
    -----END CERTIFICATE-----

    Multiple certificates can be entered by using the Begin and End delimiters for each certificate separately.