Defining a CA trust list for an application
Applications that support the use of certificates for client authentication during a Transport Layer Security (TLS) session must determine whether to accept a certificate as valid proof of identity. One of the criteria that an application uses for authenticating a certificate is whether the application trusts the Certificate Authority (CA) that issued the certificate.
You can use Digital Certificate Manager (DCM) to define which CAs an application can trust when it performs client authentication for certificates. You manage the CAs that an application trusts through a CA trust list. A CA trust list ensures that the application can validate only those certificates from CAs that you specify as trusted. If users or a client application present a certificate from a CA that is not specified as trusted in the CA trust list, the application does not accept it as a basis for valid authentication.
A CA trust list is only needed if a subset of the CAs in the *SYSTEM store are trusted by the application definition. By default, there is no CA trust list and all enabled CAs in the *SYSTEM store are trusted. Before you can specify individual CAs as trusted, the definition for the application must specify that a CA trust list is defined for the application. If the definition for the application indicates that a CA trust list is defined and no CAs are included in the CA trust list, all enabled CAs in the *SYSTEM store are trusted.
When you add a CA to the trust list for an application, you must ensure that the CA is enabled as well.
To define a CA trust list for an application, follow these steps:
- Start DCM. Refer to Starting DCM.
- Click Open Certificate Store and select
*SYSTEM as the certificate store to open. Note: If you have questions about how to complete a specific form in this guided task, select the question mark (?) at the top of the page to access the online help.
- When the Certificate store and password page displays, provide the password that you specified for the certificate store when you created it and click Open.
- In the top navigation frame, select Manage Application Definitions to display a list of tasks.
- Search for the application tile from the list, expand the actions for the application
tile by clicking +, and verify that Define CA Trust
action is available.
Note: In order for an application tile to display the Define CA Trust action,
Define the CA Trust Listmust be set to Yes. If Define CA Trust is not available, perform these steps to enable the Define CA Trust action.
- Select Update from the application tile actions.
- Change the
Define the CA Trust Listattribute to Yes.
- Click Update to store the changed attribute.
- Expand the actions for the application tile by clicking + and select Define CA Trust.
- Select the CAs that the application will trust and click Define.
DCM displays a status message to confirm your trust list selections.
Note: You can select individual CAs from the list. Also, you can view the CA certificate before you add it to the trust list.