Secure Global Desktop Administration Guide > Security > Can I chain Certificate Authority certificates?
Chaining allows the use of intermediate Certificate Authorities. For example, an X.509 server certificate could be signed by an intermediate Certificate Authority, whose own certificate is issued by a different Certificate Authority.
You can use X.509 server certificates that are signed in this way with Secure Global Desktop. However, certificates for all the links in the chain must be installed as a Secure Global Desktop custom Certificate Authority.
To do this, combine all the certificates as input to the
tarantella security customca
command. The certificate of the CA used to sign the X.509 server
certificate must appear first.
For the example above, you could create a file
mychainedcerts.pem
containing:
-----BEGIN CERTIFICATE----- ... Intermediate CA's certificate ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... CA root certificate ... -----END CERTIFICATE-----
You would install this with the command:
tarantella security customca --rootfile mychainedcerts.pem
If any certificate in the chain is corrupt or invalid, users will see "Certificate Authority not recognized" when they try to log in to Secure Global Desktop, and will be denied access.
Copyright © 1997-2006 Sun Microsystems, Inc. All rights reserved.