When applications are added to RSA SecurID Access using either the HTTP Federation Proxy (HFED) or trusted headers method, the identity routers connect directly to the application web servers. If SSL is enabled for these applications, the application web server must have a valid certificate signed by a certificate authority (CA) that the identity routers trust.
The identity routers automatically trust valid certificates signed by:
- Most well-known CAs. For a complete list of the CAs automatically trusted by the identity routers, see List of Trusted Certificate Authorities for HFED and Trusted Headers Applications.
- The CA that signed the certificates uploaded to the Company Settings section of the Cloud Administration Console. For more information, see Configure Company Information and Certificates.
However, some companies use an internal or lesser-known CA to sign certificates used for their application web servers. To establish trust between the identity router and an internal CA, you can upload one or more CA certificates using the Cloud Administration Console.
The identity routers require that an SSL certificate is valid. Valid SSL certificates contain:
- A signature from a trusted CA
- A name that matches the web server's hostname
- An expiration date that has not passed