How to specify more than one Certificate Authority (CA) and more than one Certificate Revocation List (CRL) for the Certificate Agent?

Document ID : KB000050203
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This document describes how to configure the SSO Certificate Authorisation Agent to utilise:

  • several rootCA certificates from the same CA
  • several Certificate Authorities
  • several Certificate Revocation Lists

Solution:

To do so please edit the SSO Certificate Authorisation Agent's configuration file CA_certtga.ini accordingly

Several rootCA certificates from the same CA

You can have specify a comma separated list of several rootCA certificates:

...
VerifyDepth=2
TrustedPath=\\DemoCorpDC\CertEnroll
TrustedNames=DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(0-1).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI
(1).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(1-0).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(1-2).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI
(2).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(2-1).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(2-3).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI
(3).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(3-2).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI.crt
...

Note:

The value for each parameter needs to be in one single line for each.

If you have intermediate CAs you may need to increase the VerifyDepth parameter accordingly.

Several Certificate Revocation Lists

...
[parameters]
RevocationMeth=CRL
...
[CRL1]
CrlFileName=ldap://ldap.box1.com:389/&...
CrlIssuerCert=C:\Program Files\CA\Certs\vrkqc.cer
[CRL2]
CrlFileName=ldap://ldap.box2.com:389/&...
CrlIssuerCert=C:\Program Files\CA\Certs\TEOPersonnelCA.cer
...

Several Certificate Authorities

...
[OCSP1]
TrustedPath=C:\
TrustedNames=certnew.cer
[OCSP2]
TrustedPath=
TrustedNames=
...

Note: It is possible to specify this even if there is no OCSP in place.