Secure Global Desktop 4.31 Administration Guide > Security > How do I support additional Certificate Authorities?
By default, the Secure Global Desktop supports a number of Certificate Authorities. You can use a Base 64-encoded PEM-format X.509 certificate from an unsupported Certificate Authority (CA) without extra configuration, but certificates are not validated and users are prompted to accept or decline the certificate. This is a potential security risk.
To support additional CAs and allow certificates to be validated, you must install the CA's certificate, or root certificate, for that CA. On the Secure Global Desktop host, type:
tarantella security customca
Then paste your root certificate in PEM format to standard input.
If your X.509 certificate was signed by an Intermediate CA, you must install the certificate chain.
If the X.509 certificate is issued by an unsupported CA, the Sun Secure Global Desktop Client always prompts users about the certificate the first time they connect to the server. If users accept the certificate permanently, they are not prompted about the certificate again. The only way to prevent users from being prompted about the certificate is to:
certstore.pem
file on the client device. The certificate is in the /opt/tarantella/var/tsp/cert.pem
file on each host.hostnames
file on the client device. Run the tarantella security fingerprint
command on each host to obtain these details.Users of the Native Client must download and install the root certificate as follows:
http://server.example.com
.ca.pem
):
/etc/tarantella
directory.If you are using a secure (HTTPS) web server, users are prompted to accept the web server's certificate if the root certificate has not been imported into the web browser's keystore. To allow the web server certificate to be validated without prompting the user, import the root certificate into the user's web browser using the browser's tools for doing this.
If you are using Java™ technology with a secure web server, the Java Plug-in may also prompt users to accept the web server's certificate. This depends on the configuration in the Java Control Panel. By default, the Plug-in is configured to use the certificates in the browser keystore. If the Plug-in is not configured to do this, you may have to import the root certificate using the Java Control Panel.
If you are sharing Secure Global Desktop server certificates with a web server, you can
download the root certificate from the Sun Secure Global Desktop Native Client download page, available from http://server.example.com
.
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.