Secure Global Desktop 4.31 Administration Guide > Security > Can I chain Certificate Authority certificates?

Can I chain Certificate Authority certificates?

Chaining allows the use of intermediate Certificate Authorities. For example, an X.509 server certificate could be signed by an intermediate Certificate Authority, whose own certificate is issued by a different Certificate Authority.

You can use X.509 server certificates that are signed in this way with Secure Global Desktop. However, certificates for all the links in the chain must be installed as a Secure Global Desktop custom Certificate Authority.

To do this, combine all the certificates as input to the tarantella security customca command. The certificate of the CA used to sign the X.509 server certificate must appear first.

For the example above, you could create a file mychainedcerts.pem containing:

-----BEGIN CERTIFICATE-----
...
Intermediate CA's certificate
...
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
...
CA root certificate
...
-----END CERTIFICATE-----

You would install this with the command:

tarantella security customca --rootfile mychainedcerts.pem

If any certificate in the chain is corrupt or invalid, users will see "Certificate Authority not recognized" when they try to log in to Secure Global Desktop, and will be denied access.

Related topics
What certificates does Secure Global Desktop support? The tarantella security customca command Obtaining and installing an X.509 certificate User prompts and X.509 certificates How do I support additional Certificate Authorities?