Defining a CA trust list for an application

Applications that support the use of certificates for client authentication during a Secure Sockets Layer (SSL) session must determine whether to accept a certificate as valid proof of identity. One of the criteria that an application uses for authenticating a certificate is whether the application trusts the Certificate Authority (CA) that issued the certificate.

You can use Digital Certificate Manager (DCM) to define which CAs an application can trust when it performs client authentication for certificates. You manage the CAs that an application trusts through a CA trust list. A CA trust list ensures that the application can validate only those certificates from CAs that you specify as trusted. If users or a client application present a certificate from a CA that is not specified as trusted in the CA trust list, the application does not accept it as a basis for valid authentication.

A CA trust list is only needed if a subset of the CAs in the *SYSTEM store are trusted by the application definition. By default, there is no CA trust list and all enabled CAs in the *SYSTEM store are trusted. Before you can specify individual CAs as trusted, the definition for the application must specify that a CA trust list is defined for the application. If the definition for the application indicates that a CA trust list is defined and no CAs are included in the CA trust list, all enabled CAs in the *SYSTEM store are trusted.

When you add a CA to the trust list for an application, you must ensure that the CA is enabled as well.

To define a CA trust list for an application, follow these steps:

  1. Start DCM. Refer to Starting DCM.
  2. Click Select a Certificate Store and select *SYSTEM as the certificate store to open.
    Note: If you have questions about how to complete a specific form in this guided task, select the question mark (?) at the top of the page to access the online help.
  3. When the Certificate Store and Password page displays, provide the password that you specified for the certificate store when you created it and click Continue.
  4. In the navigation frame, select Manage Applications to display a list of tasks.
  5. From the task list, select Define CA trust list.
  6. Select the type of application (server or client) for which you want to define the list and click Continue.
  7. Select an application from the list and click Continue to display a list of CA certificates that you use to define the trust list.
    Note: In order for an application to show up in the list, Define the CA trust list must be set to Yes on the application definition.
  8. Select the CAs that the application will trust and click OK. DCM displays a message to confirm your trust list selections.
    Note: You can select individual CAs from the list. Also, you can view or validate the CA certificate before you add it to the trust list.