Using Trusted Server CAs

This topic describes trusted server certificate authorities (CAs).

Understanding Trusted Server CAs

All the trusted root CAs for the Web certificates installed in Internet Explorer are preinstalled. You might need to install a trusted server CA for additional Web servers in the following situations:

  • If you are using third-party integrity measurement verifiers (IMVs) that are installed on a remote server, you must upload the trusted root certificate of the CA that signed the remote server’s server certificate.
  • If you are using virus signature version monitoring with your own staging site for storing the current virus signatures list, you must upload the trusted root certificate of the CA that signed the staging server certificate.
  • You can install the trusted root CA certificate on the endpoint in any of the following ways:
  • Use a CA certificate that is chained to a root certificate that is already installed on the endpoint, such as VeriSign.
  • Upload the CA certificate and any intermediate CA certificates to the Ivanti Secure Access Client system. During client installation, the system automatically installs the trusted root device CA certificates on the endpoint. When prompted during installation, the user must allow the installation of the CA certificate(s).
  • Prompt users to import the CA certificates on the endpoint using Internet Explorer or other Microsoft Windows tools. In other words, you can use common methods organizations use to distribute root certificates.

You cannot use CRL revocation checks for trusted server CA certificates.

Uploading Trusted Server CA Certificates

You can use the Trusted Server CAs page to upload the trusted root certificate of the CA that signed the Ivanti Secure Access Client service device certificate. If you upload a certificate chain, you must install the certificates one at a time in descending order starting with the root certificate (DER or PEM files), or you must upload a single file that contains the entire certificate chain (PEM files only). The system supports X.509 CA certificates in PEM (Base 64) and DER (binary) encode formats.

To upload CA certificates:

  1. Select System > Configuration > Certificates > Trusted Server CAs to display the page.
  2. Click Import Trusted Server CA to display the page.
  3. Browse to the certificate file, select it, and click Import Certificate to complete the import operation.

Restoring the Prepopulated Group of Trusted Server CA Certificates

The System > Configuration > Certificates > Trusted Server CAs page is prepopulated with some of the trusted root CAs for the Web certificates installed in Internet Explorer and Windows. You can use the delete functionality on this page to delete CAs and the reset functionality to restore the list to the set that was installed during the upgrade. The reset operation clears all manually imported certificates.

To restore the prepopulated group of trusted CA certificates:

  1. Select System > Configuration > Certificates > Trusted Server CAs.
  2. Click Reset Trusted Server CAs.
  3. Confirm that you want to restore the set of trusted server CAs that was installed when you upgraded.

Renewing a Trusted Server CA Certificate

If a trusted CA renews its certificate, you must upload the renewed CA certificate.

To import a renewed CA certificate:

  1. Select System > Configuration > Certificates > Trusted Server CAs.
  2. Click the link that corresponds to the certificate that you want to renew to display the page.
  3. Click Renew Certificate.
  4. Browse to the certificate file, select it, and click Import Certificate to complete the import operation.

Deleting a Trusted Server CA Certificate

You can delete any trusted server CA certificate, including preinstalled certificates.

To delete a trusted server CA certificate:

  1. Select System > Configuration > Certificates > Trusted Server CAs.
  2. Select the check box for the certificate you want to delete.
  3. Click Delete, and then confirm that you want to delete the certificate.