The SMC server does not allow the use of certificate authorities with unknown issuers. Therefore, when importing a certificate authority, its entire chain of trust must be imported.
To import a chain of trust, import the certificates of the root certificate authority and the various sub-authorities individually, starting with the certificate authority of the highest level. You can also import all of them at one go by providing a "bundle" file.
Whenever you add a certificate authority, the SMC server will verify its chain of trust.
- In Configuration > Certificate Authorities, click on Add an authority.
- Select a file in .pem, .cer, .crt or .der.
- Add the addresses of the distribution point(s) for the certificate revocation list (CRL). For more information, please refer to the section Configuring a mesh topology.
- Once the authority has been declared, you can edit it or check its usage by scrolling over the name of the authority in the list of authorities in order to make the icons appear.
A new authority can also be added during the configuration of the VPN topology, during the selection of the authentication method, by clicking on Add an authority.
Whenever you update a certificate authority, the name, comments and list of certificate revocation list distribution points, if there is one, will be kept.
The public key must be the same as the one for the previous authority.
Whenever you delete a certificate authority, all authorities depending on it will also be deleted. If any of the intermediate authorities are used in a VPN topology, you will not be able to delete them.