000018806 - How to use any client certificate as an Administrator in another KCA installation?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018806
Applies ToKeon Certificate Authority
IssueHow to use any client certificate as an Administrator in another KCA installation?
There are two Keon CA installations on two different machines, say KCA-A and KCA-B.  KCA-A issued a client certificate.  This client certificate needs to be configured as an administrator for KCA-B.
ResolutionTo configure a client certificate, issued from one KCA-A, to become an administrator in another KCA (KCA-B), the following steps are to be taken:

1. Create and issue a certificate from KCA-A.
2. On KCA-B, from 'CA Operations' workbench, click on 'Trust CA certificate'  in the Navigation Area under 'External CAs' section.
3. Enter the 'CA Nickname', 'Host name', 'Port' (if this is a non-RSA CA, the port must point to LDAP and not to SSL-LDAP) and enable 'Non-RSA Security CA'.  Lastly, paste the PEM of the CA in the specified text area (including header and footer) then click 'Trust this CA' button.  If the configuration is correct, the system will display a "#" sign beside the CA Nickname in the Navigation Area.
4. Restart KCA-B.
5. On KCA-A, generate a CRL for the trusted CA.  (From 'CA Operations', view the trusted CA and click on 'Generate CRL' button at the bottom of the page.) Copy the CRL PEM including the header and footer.
6. On KCA-B, from 'CA Operations', view the trusted CA.  Using the vertical scroll bar, search for and click the 'Import' button under 'CRL Operations:' section.
7. Under 'Manually Import a CRL:' screen, paste the CRL PEM (from step 5) into the text area and click 'Import this CRL'. If the import is successful, the system will display the message "CRL import successful".
8. Click on 'System Configuration'. Click on "/ca/" ACL object. Add a new rule with the MD5 hash of the certificate created in step 1.  To do that, click the "+" sign  which is beside the 'Rules' box.  For 'Access granted by this rule:' choose 'Read'. Under the Graphical Rule Editor, select "Client" then select "CA's MD5 digest" and choose "is".  Lastly, paste the MD5 on the last field. Click "Commit rule changes" then click "Save ACL..." button.
9. Add a new rule for "/inst-forms/" ACL object using the same MD5 value.
10. Now you will be able to connect to KCA-B administrative interface using the certificate created in step 1.
Legacy Article IDa3514