iTP Secure WebServer System Administrator's Guide (iTPWebSvr 6.0+)
Configuring for Secure Transport
iTP Secure WebServer System Administrator’s Guide—523346-002
4-24
Managing Client Authentication
You can use certificate chains with the WebSafe2 unit for increased security. If you
plan to do this, see How to Use Server Certificate Chains With WebSafe2 Encryption
on page 5-16 for specific configuration details.
To create a server certificate chain, follow these steps:
1. Obtain leaf and intermediate certificates from the appropriate CA. If the certificates
are to be used to support a Global Server ID, obtain the certificates from VeriSign
at the following web site:
http://www.verisign.com
2. Note that when a certificate chain is sent from VeriSign, the leaf certificate is the
certificate that follows the text SERVER SUBSCRIBER CERTIFICATE, and the
intermediate certificate is the certificate that follows the text INTERMEDIATE CA
CERTIFICATE.
3. Store the leaf and intermediate certificates as follows:
°
Store the leaf certificate, including the lines labeled
----- BEGIN CERTIFICATE ----- and
----- END CERTIFICATE -----, in the designated certificate file
(cert.txt in the example) using the keyadmin command as shown in the
following example:
keyadmin -addcert cert.txt
°
Store the intermediate certificate, including the lines labeled
----- BEGIN CERTIFICATE ----- and
----- END CERTIFICATE -----, in the designated intermediate certificate
file (intermediate.txt in the example) using the keyadmin command as
shown in the following example:
keyadmin -addcert intermediate.txt
For details about adding certificates using keyadmin, see Adding a Certificate to
the Key Database File on page 4-11.
Managing Client Authentication
For SSL 3.0 the server always authenticates itself to its clients. However, you can
configure the server to request or require the web client to authenticate itself to the
server.
The AcceptSecureTransport configuration directive accepts two options for specifying
how the server controls client authentication:
-requestauth The server requests that the web client present a certificate, and
the web client can choose to do so.
-requireauth The server requires that the web client present its certificate and
terminates communication if the web client declines.