Modify a Rule Set to Configure Certificate Authorities
The Authentication Server (for X509 Authentication) rule set needs to be modified to ensure appropriate Root CAs (certificate authorities) are configured. The modification is done in a nested rule set.
A client certificate is trusted if signed by a certificate authority from the list that is maintained on the appliance. You need to import all certificate authorities into the list that you want to be signing instances for trusted client certificates.
- Select Policy | Rule Sets and expand the Authentication Server (for X509 Authentication) rule set.
- Expand the nested SSL Authentication Server Request rule set.
- In the Ask user for client certificate rule, click the X509 Auth module settings.
The Edit Settings window opens. - In the Client Certificate Specific Parameters section, review the list of certificate authorities.
- To add a certificate authority to the list:
- Click the Add icon above the list.
The Add Certificate Authority window opens. - In the Host field, enter the host name or IP address that the certificate should be submitted for.
- Click Import.
A window providing access to your local file system opens. - Browse to the certificate authority file you want to import.
- Click OK.
The window closes and the import is performed. The certificate appears in the Add Certificate Authority window.
- Click the Add icon above the list.
- Make sure the Trusted checkbox is selected.
- [Optional] In the Comment field, type a plain-text comment on the certificate authority.
- Click OK.
The window closes and the certificate authority appears in the list. - Click OK to close the Edit Settings window.
- Click Save Changes.