How to use any client certificate as an Administrator in another KCA installation?
Originally Published: 2001-07-06
Article Number
Applies To
Issue
There are two Keon CA installations on two different machines, say KCA-A and KCA-B. KCA-A issued a client certificate. This client certificate needs to be configured as an administrator for KCA-B.
Resolution
1. Create and issue a certificate from KCA-A.
2. On KCA-B, from 'CA Operations' workbench, click on 'Trust CA certificate' in the Navigation Area under 'External CAs' section.
3. Enter the 'CA Nickname', 'Host name', 'Port' (if this is a non-RSA CA, the port must point to LDAP and not to SSL-LDAP) and enable 'Non-RSA Security CA'. Lastly, paste the PEM of the CA in the specified text area (including header and footer) then click 'Trust this CA' button. If the configuration is correct, the system will display a "#" sign beside the CA Nickname in the Navigation Area.
4. Restart KCA-B.
5. On KCA-A, generate a CRL for the trusted CA. (From 'CA Operations', view the trusted CA and click on 'Generate CRL' button at the bottom of the page.) Copy the CRL PEM including the header and footer.
6. On KCA-B, from 'CA Operations', view the trusted CA. Using the vertical scroll bar, search for and click the 'Import' button under 'CRL Operations:' section.
7. Under 'Manually Import a CRL:' screen, paste the CRL PEM (from step 5) into the text area and click 'Import this CRL'. If the import is successful, the system will display the message "CRL import successful".
8. Click on 'System Configuration'. Click on "/ca/" ACL object. Add a new rule with the MD5 hash of the certificate created in step 1. To do that, click the "+" sign which is beside the 'Rules' box. For 'Access granted by this rule:' choose 'Read'. Under the Graphical Rule Editor, select "Client" then select "CA's MD5 digest" and choose "is". Lastly, paste the MD5 on the last field. Click "Commit rule changes" then click "Save ACL..." button.
9. Add a new rule for "/inst-forms/" ACL object using the same MD5 value.
10. Now you will be able to connect to KCA-B administrative interface using the certificate created in step 1.
Related Articles
Unable to use Administrators Client SSL Certificate Number of Views Bugsnag-integration-configuration-relying-party Number of Views Shufflrr - SAML Relying Party Configuration - SecurID Access Implementation Guide Number of Views Bonusly-integration-configuration-relying-party Number of Views DeskPro-integration-configuration-relying-party Number of Views
Trending Articles
How to download and install the AFX Server Archive in RSA Identity Governance & Lifecycle RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide The Template ({Connector Template Name}) has missing file content error when creating AFX Connectors in RSA Identity Gover… Downloading RSA Authentication Manager license files or RSA Software token seed records Troubleshooting RSA MFA Agent for Microsoft Windows
Don't see what you're looking for?
