Secure Global Desktop 4.31 Administration Guide > Security > How do I support additional Certificate Authorities?

How do I support additional Certificate Authorities?

By default, the Secure Global Desktop supports a number of Certificate Authorities. You can use a Base 64-encoded PEM-format X.509 certificate from an unsupported Certificate Authority (CA) without extra configuration, but certificates are not validated and users are prompted to accept or decline the certificate. This is a potential security risk.

To support additional CAs and allow certificates to be validated, you must install the CA's certificate, or root certificate, for that CA. On the Secure Global Desktop host, type:

tarantella security customca

Then paste your root certificate in PEM format to standard input.

If your X.509 certificate was signed by an Intermediate CA, you must install the certificate chain.

Sun Secure Global Desktop Client

If the X.509 certificate is issued by an unsupported CA, the Sun Secure Global Desktop Client always prompts users about the certificate the first time they connect to the server. If users accept the certificate permanently, they are not prompted about the certificate again. The only way to prevent users from being prompted about the certificate is to:

Add the server certificate to the certstore.pem file on the client device. The certificate is in the /opt/tarantella/var/tsp/cert.pem file on each host.
Add the hostname and fingerprint of the certificate to the hostnames file on the client device. Run the tarantella security fingerprint command on each host to obtain these details.

Sun Secure Global Desktop Native Client

Users of the Native Client must download and install the root certificate as follows:

Download the root certificate from the Sun Secure Global Desktop Native Client download page, available from http://server.example.com.
On Windows client devices, import the root certificate using Internet Options in the Windows Control Panel.
On UNIX/Linux/Mac OS X client devices, the Sun Secure Global Desktop Native Client searches the following locations for the root certificate file (ca.pem):
- The /etc/tarantella directory.
- The location specified in the user preferences file.

Secure (HTTPS) web servers

If you are using a secure (HTTPS) web server, users are prompted to accept the web server's certificate if the root certificate has not been imported into the web browser's keystore. To allow the web server certificate to be validated without prompting the user, import the root certificate into the user's web browser using the browser's tools for doing this.

If you are using Java™ technology with a secure web server, the Java Plug-in may also prompt users to accept the web server's certificate. This depends on the configuration in the Java Control Panel. By default, the Plug-in is configured to use the certificates in the browser keystore. If the Plug-in is not configured to do this, you may have to import the root certificate using the Java Control Panel.

If you are sharing Secure Global Desktop server certificates with a web server, you can download the root certificate from the Sun Secure Global Desktop Native Client download page, available from http://server.example.com.

Related topics
What certificates does Secure Global Desktop support? The tarantella security customca command Obtaining and installing an X.509 certificate User prompts and X.509 certificates Can I chain Certificate Authority certificates?