Setting up a remote CA for IAG

  • Article

Applies To: Intelligent Application Gateway (IAG)

A certification authority (CA) is required for the deployment of client certificates to IAG client endpoints. You can install a CA locally on the IAG server, or you can use a remote CA. This topic describes how to set up a remote CA.

Setting up a remote CA consists of the following steps:

  1. Installing the trusted root certificate of the remote CA on the IAG server in order to indicate that the CA is trusted.

  2. Updating the certificate trust list (CTL) with the new CA.

  3. Backing up the certificate settings.

Installing the trusted root certificate

Note

If you are using a remote CA, import your server certificate into the local computer’s Trusted Root Certification Authorities/Certificate store before proceeding.

Updating the certificate trust list

The Certificate Trust List (CTL) is a signed list of CA certificates that have been judged reputable by the administrator. In order to use a CA, you have to notify IAG that you trust the CA by adding it to the CTL for the portal as follows:

To add a CA to the CTL

  1. On the Windows desktop, click Start, point to Programs, click Administrative Tools, and then click Internet Information Services. The Internet Information Services (IIS) Manager window is displayed.

  2. Right-click on the portal, and then click Properties. The portal Properties dialog box is displayed.

  3. Click the Directory Security tab.

  4. In the Secure communications area, click Edit. The Secure Communications dialog box is displayed.

  5. Select Enable certificate trust list, and then click New. The Welcome to the Certificate Trust List Wizard page is displayed.

  6. Click Next. The Certificates in the CTL page of the Certificate Trust List Wizard is displayed.

  7. Click Add from Store. The Select Certificate dialog box is displayed.

  8. Select the certificate you wish to use, and then click OK. The Certificates in the CTL page of the Certificate Trust List Wizard is displayed with the certificate you selected.

  9. Click Next. The Name and Description page of the Certificate Trust List Wizard is displayed.

  10. Enter a name and description for the new Certificate Trust List, and then click Next. The Completing the Certificate Trust List Wizard page of the Certificate Trust List Wizard with a summary of your settings is displayed.

  11. Click Finish. The certificate authority is added to the Certificate Trust List. The configuration process is complete. End-users can proceed to make their computers certified endpoints.

Backing up the certificate settings

Make sure that you have a backup of the private key. If not, create backup files via the certificate store. After the initial backup, make sure to back up the certificate settings from time to time, especially before any IAG software upgrade or installation, or any other changes to system settings. For instructions on how to back up the certificate, see SSL Digital Certificate Technical Support (https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html).