Requiring Valid HTTPS Client Certificates
Use this procedure to require users connecting to the CDO web interface to supply a user certificate. The system supports validating HTTPS client certificates using either OCSP or imported CRLs in Privacy-enhanced Electronic Mail (PEM) format.
If you choose to use CRLs, to ensure that the list of revoked certificates stays current, you can create a scheduled task to update the CRLs. The system displays the most recent refresh of the CRLs.
Note | To access the web interface after enabling client certificates, you must have a valid client certificate present in your browser (or a CAC inserted in your reader). |
Before you begin
-
Import a server certificate signed by the same certificate authority that signed the client certificate to be used for the connection; see Importing HTTPS Server Certificates.
-
Import the server certificate chain if needed; see Importing HTTPS Server Certificates.
Procedure
| Step 1 | Choose
System ( | ||
| Step 2 | Click HTTPS Certificate. | ||
| Step 3 | Choose Enable Client Certificates. If prompted, select the appropriate certificate from the drop-down list. | ||
| Step 4 | You have three options:
| ||
| Step 5 | Enter a valid URL to an existing CRL file and click Add CRL. Repeat to add up to 25 CRLs. | ||
| Step 6 | Click Refresh CRL to load the current CRL or CRLs from the specified URL or URLs.
| ||
| Step 7 | Verify that the client certificate is signed by the certificate authority loaded onto the appliance and the server certificate is signed by a certificate authority loaded in the browser certificate store. (These should be the same certificate authority.)
| ||
| Step 8 | Click Save. |
)