andisself-signed.Eachintermediatecertificateisissuedbythecertificateaboveitinthe
chain.
Toenableauthenticationinachainedcertificateenvironment,youmustinstallthe
appropriateclient-sidecertificatesineachuser’sWebbrowserandthenuploadthe
correspondingCAcertificatestotheSASeriesAppliance.
NOTE: Withauserlicense,youcannotinstallachainwhosecertificatesare
issuedbydifferentCAs.TheCAthatsignsthelowest-levelcertificateinthe
chainmustalsosignallothercertificatesinthechain.
YoucaninstallclientCAsthroughtheSystem>Configuration>Certificates>Trusted
ClientCAspageoftheadminconsole.WhenuploadingthecertificatechaintotheSA
SeriesAppliance,youmustuseoneofthefollowingmethods:
Importtheentirecertificatechainatonce—Wheninstallingachainofcertificates
containedinasinglefile,theSASeriesApplianceimportstherootcertificateandany
sub-certificateswhoseparentsareinthefileorontheSASeriesAppliance.Youcan
includecertificatesinanyorderintheimportfile.
Importthecertificatesoneatatimeindescendingorder—Wheninstallingachainof
certificatescontainedinmultiplefiles,theSASeriesAppliancerequiresthatyouinstall
therootcertificatefirst,andtheninstalltheremainingchainedcertificatesindescending
order.
Whenyouinstallchainedcertificatesusingoneofthesemethods,theSASeriesAppliance
automaticallychainsthecertificatestogetherinthecorrectorderanddisplaysthem
hierarchicallyintheadminconsole.
NOTE: Ifyouinstallmultiplecertificatesinauser’sWebbrowser,thebrowser
promptstheusertochoosewhichcertificatetousewheneverhesignsinto
theSASeriesAppliance.
Related
Documentation
UsingIntermediateServerCACertificatesonpage732
EnablingCRLs
Acertificaterevocationlist(CRL)isamechanismforcancellingaclient-sidecertificate.
Asthenameimplies,aCRLisalistofrevokedcertificatespublishedbyaCAordelegated
CRLissuer.TheSASeriesAppliancesupportsbaseCRLs,whichincludeallofthe
company’srevokedcertificatesinasingle,unifiedlist.
TheSASeriesApplianceknowswhichCRLtousebycheckingtheclient’scertificate.
(Whenissuingacertificate,theCAincludesCRLinformationforthecertificateinthe
certificateitself.)Toensurethatitreceivesthemostup-to-dateCRLinformation,the
SASeriesApplianceperiodicallycontactsaCRLdistributionpointtogetanupdatedlist
ofrevokedcertificates.ACRLdistributionpoint(CDP)isalocationonanLDAPdirectory
745
Copyright©2012,JuniperNetworks,Inc.
Chapter29:Certificates
Pdf file size - Compress reduce PDF size in C#.net, ASP.NET, MVC, Ajax, WinForms, WPF
C# Code & .NET API to Compress & Decompress PDF Document
best compression pdf; adjust pdf page size
Pdf file size - VB.NET PDF File Compress Library: Compress reduce PDF size in vb.net, ASP.NET, MVC, Ajax, WinForms, WPF
VB.NET PDF Document Compression and Decompression Control SDK
best way to compress pdf; pdf markup text size
serverorWebserverwhereaCApublishesCRLs.TheSASeriesAppliancedownloads
CRLinformationfromtheCDPattheintervalspecifiedintheCRL,attheintervalthat
youspecifyduringCRLconfiguration,andwhenyouchoosetomanuallydownloadthe
CRL.TheSASeriesAppliancealsosupportsCRLpartitioning.CRLpartitioningenables
youtoverifyportionsofverylargeCRLswithouthavingtospendthetimeandbandwidth
necessarytoaccessandvalidateaverylargeCRLorcollectionoflargeCRLs.CRL
partitioningisonlyenabledontheSASeriesAppliancewhenyouemploytheSpecifythe
CDP(s)intheclientcertificatesmethod(describedbelow).Inthiscase,theSASeries
AppliancevalidatestheuserbyverifyingonlytheCRLspecifiedintheclientcertificate.
AlthoughCAsincludeCRLinformationinclient-sidecertificates,theydonotalways
includeCDPinformation,aswell.ACAmayuseanyofthefollowingmethodstonotify
theSASeriesApplianceofacertificate’sCDPlocation:
SpecifytheCDP(s)intheCAcertificate—WhentheCAissuesaCAcertificate,itmay
includeanattributespecifyingthelocationoftheCDP(s)thattheSASeriesAppliance
shouldcontact.IfmorethanoneCDPisspecified,theSASeriesAppliancechooses
thefirstonelistedinthecertificateandthenfailsovertosubsequentCDPs,ifnecessary.
SpecifytheCDP(s)intheclientcertificates—WhentheCAissuesclient-side
certificates,itmayincludeanattributespecifyingthelocationoftheCDP(s)thatthe
SASeriesApplianceshouldcontact.IfmorethanoneCDPisspecified,theSASeries
Appliancechoosesthefirstonelistedinthecertificateandthenfailsovertosubsequent
CDPs,ifnecessary.WhentheSASeriesApplianceemploysCRLpartitioningandthe
clientcertificatespecifiesonlyoneCRL,theSASeriesApplianceperformsverification
usingonlythatCRL.
NOTE: Ifyouchoosethismethod,theuserreceivesanerrorthefirsttime
hetriestosignintotheSASeriesAppliancebecausenoCRLinformation
isavailable.OncetheSASeriesAppliancerecognizestheclient’scertificate
andextractstheCRLlocation,itcanstartdownloadingtheCRLand
subsequentlyvalidatetheuser’scertificate.Inordertosuccessfullysign
intotheSASeriesAppliance,theusermusttrytoreconnectafterafew
seconds.
RequiretheadministratortomanuallyentertheCDPlocation—IftheCAdoesnot
includetheCDPlocationintheclientorCAcertificates,youmustmanuallyspecify
howtodownloadtheentireCRLobjectwhenconfiguringtheSASeriesAppliance.You
mayspecifyaprimaryandbackupCDP.(ManuallyenteringtheCDPlocationprovides
thegreatestflexibilitybecauseyoudonotneedtoreissuecertificatesifyouchange
yourCDPlocation.)
TheSASeriesAppliancecheckstheuser’scertificateagainsttheappropriateCRLduring
authentication.Ifitdeterminesthattheuser’scertificateisvalid,theSASeriesAppliance
cachesthecertificateattributesandappliesthemifnecessaryduringroleandresource
policychecks.Ifitdeterminesthattheuser’scertificateisinvalid,ifitcannotcontactthe
appropriateCRL,oriftheCRLisexpired,theSASeriesAppliancedeniestheuseraccess.
Copyright©2012,JuniperNetworks,Inc.
746
JunosPulseSecureAccessServiceAdministrationGuide
C# PDF File Split Library: Split, seperate PDF into multiple files
Divide PDF file into multiple files by outputting PDF file size. Split PDF document by PDF bookmark and outlines. Split PDF file by output file size.
pdf compression; best pdf compression
VB.NET PDF File Split Library: Split, seperate PDF into multiple
Divide PDF file into multiple files by outputting PDF file size. Split Split PDF File by Output File Size Demo Code in VB.NET. This
pdf change font size; pdf reduce file size
YoucanconfigureCRLcheckingthroughtheSystem>Configuration>Certificates>
TrustedClientCAspageoftheadminconsole.
NOTE:
TheSASeriesApplianceonlysupportsCRLsthatareinaPEMorDER
formatandthataresignedbytheCAforwhichtherevocationsapply.
TheSASeriesApplianceonlysavesthefirstCRLinaPEMfile.
TheSASeriesAppliancedoesnotsupporttheIssuingDistributionPoint
(IDP)CRLextension.
Related
Documentation
SpecifyingCDPOptionsonpage748
SendingCRLDownloadRequeststoaProxyServer
IfyouuseaproxyservertocontrolaccesstotheInternet,youcanusethe“UseProxy
ServerforCRLdownload”optiontosendCRLdownloadrequeststotheproxyserverand
collectstheresponse.
Withthisoption,allCRLdownloadsfrom:
CDPsspecifiedinthetrustedclientCAs
CDPsspecifiedinclientcertificates
ManuallyconfiguredCDPs
nowoccurthroughtheproxyserver.
NOTE: Onceyouconfigureaproxy,anyCRLdownloadinitiatedfromtheSA
SeriesAppliancegoesthroughtheconfiguredproxyserver.
CRLdownloadthroughproxyisonlyforweb-basedURLs,notLDAPURLs.
TouseaproxyserverforCRLdownloadrequests:
1.
Intheadminconsole,chooseSystem>Configuration>Certificates>TrustedClient
CAs.
2.
ClickProxySettings.
3.
SelecttheUseProxyServerforHTTP-basedCRLdownloadcheckbox.
4.
Entertheproxyserverhostname.YoucanspecifyeitheranIPaddressorafullyqualified
domainname.
5.
Entertheproxyserverportnumberifitisdifferentfromthedefaultvalueof80.
6.
(optional)Ifyourproxyserverrequiredauthentication,enterausernameandpassword
tologintotheproxyserver.
747
Copyright©2012,JuniperNetworks,Inc.
Chapter29:Certificates
C# Convert: PDF to Word: How to Convert Adobe PDF to Microsoft
options. UseDefaultPageSize: Determine whether your PDF to Word conversion will use the page size defined in input file. Default: true.
change font size in pdf comment box; adjusting page size in pdf
C# PDF Convert to Jpeg SDK: Convert PDF to JPEG images in C#.net
JPEG image file, owing to its small-size feature, is counted as a more suitable choice for publishing in web services than PDF document file.
change font size in pdf; pdf page size
SpecifyingCDPOptions
IfyouselectedeitherUseCRLsorUseOCSPwithCRLfallback.Youcanenableand
periodicallydownloadcertificaterevocationlists(CRL)fromCRLdistributionpoints
(CDPs)toverifytheongoingvalidityofclient-sidecertificates.
1.
Intheadminconsole,chooseSystem>Configuration>Certificates>TrustedClient
CAs.
2.
ClickthelinkthatcorrespondstothecertificateforwhichyouwanttoenableCRL
checking.
NOTE: SincetheSASeriesAppliancesupportsCRLpartitioning,youmay
seemultipleCRLsdisplayedunderCRLdistributionpoints.Thisisbecause
thepartitionedportionsofarevocationlistarenotidentifiedindividually,
butreferredtoastheCDPfromwhichtheyarederived.
3.
ClickCRLCheckingOptions.TheCRLCheckingOptionspageappears.
4.
UnderCRLDistributionPoints,specifywheretheSASeriesApplianceshouldfind
accessinformationfortheCDP.Optionsinclude:
NoCDP(noCRLChecking)—Whenyouselectthisoption,theSASeriesAppliance
doesnotcheckCRLsissuedbytheCA,soyoudonotneedtoenteranyparameters
toaccesstheCDPthatissuedtheCRL.
CDP(s)specifiedintheTrustedClientCA—Whenyouselectthisoption,theSA
SeriesAppliancecheckstheCRLdistributionpointattributeinthecertificateand
displaystheURIsoftheCDPsthatitfindsintheCRLCheckingOptionspage.Ifthe
CAcertificatedoesnotincludealloftheinformationrequiredtoaccesstheCDP,
specifytheadditionalrequiredinformation:
CDPServer:(LDAPonly)—EnterthelocationoftheCDPserver.WhenusingLDAP
protocol,entertheIPaddressorhostname(forexample,ldap.domain.com).
CRLAttribute:(LDAPonly)—EntertheLDAPattributeontheobjectthatcontains
theCRL(forexample,CertificateRevocationList).
AdminDN,Password:(LDAPonly)—IftheCDPserverdoesnotallowanonymous
searchesoftheCRL,entertheadminDNandpasswordthatarerequiredto
authenticateintotheCDPserver.
CDP(s)specifiedinclientcertificates—Iftheclientcertificatedoesnotincludeall
oftheinformationrequiredtoaccesstheCDP,specifytheadditionalrequired
information:
CDPServer:(LDAPonly)—EnterthelocationoftheCDPserver.WhenusingLDAP
protocol,entertheIPaddressorhostname(forexample,ldap.domain.com).
CRLAttribute:(LDAPonly)—EntertheLDAPattributeontheobjectthatcontains
theCRL(forexample,CertificateRevocationList).
Copyright©2012,JuniperNetworks,Inc.
748
JunosPulseSecureAccessServiceAdministrationGuide
C# PDF Convert to Tiff SDK: Convert PDF to tiff images in C#.net
DocumentType.DOCX DocumentType.TIFF. zoomValue, The magnification of the original PDF page size. 0.1f
pdf page size limit; change font size in pdf fillable form
C# PDF Convert to Word SDK: Convert PDF to Word library in C#.net
PDF document, keeps the elements (like images, tables and chats) of original PDF file and maintains the original text style (including font, size, color, links
change page size pdf acrobat; change paper size in pdf document
AdminDN,Password:(LDAPonly)—IftheCDPserverdoesnotallowanonymous
searchesoftheCRL,entertheadminDNandpasswordthatarerequiredto
authenticateintotheCDPserver.
ManuallyconfiguredCDP—Whenyouselectthisoption,theSASeriesAppliance
accessestheCDPthatyouspecify.EntertheURLoftheprimaryCDPandoptionally
ofabackupCDP.ForanLDAPserver,usethesyntax:
ldap://Server/BaseDN?attribute?Scope?Filter.ForaWebserver,enterthecomplete
pathtotheCRLobject.Forexample:
http://domain.com/CertEnroll/CompanyName%20CA%20Server.crl
Additionally,iftheCDPserverdoesnotallowanonymoussearchesoftheCRL,enter
theadminDNandpasswordthatarerequiredtoauthenticateintotheCDPserver.
(LDAPonly)
NOTE: IfyouchoosetodownloadCDPsusingonemethodandthenselect
adifferentmethod,theSASeriesAppliancedeletesanyCDPsfromdisk
thatweredownloadedusingthepreviousmethod.
5.
IntheCRLDownloadFrequencyfield,specifyhowoftentheSASeriesAppliance
shoulddownloadtheCRLfromtheCDP.Theallowablerangeisfrom1to9999hours.
6.
ClickSaveChanges.
7.
IfyouwanttocheckthevalidityofyourCAcertificate(inadditiontoclient-side
certificates)againsttheCRLspecifiedintheprevioussteps,selectVerifyTrusted
ClientCAontheTrustedClientCApage.
NOTE:
Whenyouchoosetoverifyanintermediatecertificate,makesurethat
CRLsareavailableforalloftheCAcertificatesthatareabovethe
intermediatecertificateinthechain—whenverifyingaCAcertificate,
theSASeriesAppliancealsoverifiesallissuingCAsabovethecertificate
inthechain.
IfyouselectthisoptionbutdonotenableCRLchecking,theSASeries
AppliancecheckstheCAcertificateagainsttheCDPfortheCA’sissuer.
IfnoCRLisenabledfortheissuer,userauthenticationfails.
8.
ClickSaveChanges.TheSASeriesAppliancedownloadstheCRLusingthemethod
youspecified(ifapplicable)anddisplaysCRLcheckingdetails(describedinthe
followingsection).
9.
ClickUpdateNowintheTrustedClientCApagetomanuallydownloadtheCRLfrom
theCDP(optional).
Related
Documentation
SpecifyingAttributesfortheTrustedClientCACertificate
EnablingCRLsonpage745
749
Copyright©2012,JuniperNetworks,Inc.
Chapter29:Certificates
C# PDF insert text Library: insert text into PDF content in C#.net
Ability to change text font, color, size and location and output a new PDF document. how to use C#.NET class code to add and insert text to PDF file page.
change font size in pdf form field; change font size in pdf file
VB.NET TWAIN: Specify Size and Location for TWAIN Image Scanning
the size and location for TWAIN image scanning, but also allows you to conduct Console based TWAIN scanning and scan many pages into a single PDF document
pdf page size dimensions; advanced pdf compressor online
EnablingOCSP
TheOnlineCertificationStatusProtocol(OCSP)offersyoutheabilitytoverifyclient
certificatesinreal-time.UsingOCSP,theSASeriesAppliancebecomesaclientofan
OCSPresponderandforwardsvalidationrequestsforusers,basedonclientcertificates.
TheOCSPrespondermaintainsastoreofCA-publishedCRLsandmaintainsanup-to-date
listofvalidandinvalidclientcertificates.OncetheOCSPresponderreceivesavalidation
requestfromtheSASeriesAppliance(whichiscommonlyanHTTPorHTTPS
transmission),theOCSPrespondereithervalidatesthestatusofthecertificateusingits
ownauthenticationdatabaseorcallsupontheOCSPresponderthatoriginallyissued
thecertificatetovalidatetherequest.Afterformulatingaresponse,theOCSPresponder
returnsthesignedresponsetotheSASeriesApplianceandtheoriginalcertificateiseither
approvedorrejected,basedonwhetherornottheOCSPrespondervalidatesthe
certificate.
SpecifyingOCSPOptions
IfyouselectedeitherUseOCSPorUseOCSPwithCRLfallback,theSASeriesAppliance
displaysalistofknownOCSPrespondersandenablesyoutoconfigureOCSPresponder
options:
1.
Delete,enable,ordisableOCSPResponderconfigurationusingtheDelete,Enable,
orDisablebuttons,respectively.
2.
IfyouwanttoconfigureOCSPoptions,clickOCSPOptions.TheOCSPOptionspage
appears.
3.
SpecifythetypeofOCSPrespondertheSASeriesApplianceusestovalidatetrusted
clientCAsintheUsedrop-downlist:
None—TheSASeriesAppliancedoesnotuseOCSPtoverifythestatusofcertificates
issuedbythisCA.
Responder(s)specifiedintheCAcertificate—TheSASeriesApplianceusesOCSP
respondersspecifiedintheimportedclientCAtoperformverification.Whenyou
selectthisoption,theSASeriesAppliancedisplaysalistofOCSPresponders
specifiedintheimportedCA(ifany)andthelasttimetheywereused.
Responder(s)specifiedintheclientcertificates—TheSASeriesApplianceuses
respondersspecifiedduringclientauthenticationtoperformverification.Whenyou
selectthisoption,theSASeriesAppliancedisplaysalistofknownOCSPresponders
(ifany)andthelasttimetheywereused.
Manuallyconfiguredresponders—TheSASeriesApplianceusesprimaryand
secondaryOCSPrespondersattheaddressesyouspecify.
Copyright©2012,JuniperNetworks,Inc.
750
JunosPulseSecureAccessServiceAdministrationGuide
NOTE: AnonceisrandomdatatheSASeriesApplianceincludesinan
OCSPrequestandtheOCSPResponderreturnsintheOCSPresponse.
TheSASeriesAppliancecomparesthenonceintherequestandresponse
toensurethattheresponseisgeneratedbytheOCSPresponder.Ifthe
twodonotmatch,theSASeriesAppliancedisregardstheresponseand
sendsanewrequest.Noncesareacommonwayofpreventreplayattacks.
4.
ClickSaveChanges.
SpecifyingOCSPResponderOptions
TospecifyOCSPResponderSignerCertificateoptionsforoneormoreOCSPresponders:
1.
ClickthenameoftheOCSPresponderyouwanttoconfigureintheOCSPresponders
list.TheoptionspecificationpagefortheOCSPresponderappears.
2.
BrowsetothenetworkpathorlocaldirectorylocationofaResponderSignerCertificate.
ThisisthecertificatetheOCSPresponderusestosigntheresponse.Youmustspecify
theResponderSignerCertificateifthesignercertificateisnotincludedintheresponse
3.
IfyouwanttoallowanOCSPrespondercertificatethatmatchestherespondersigner
certificate,activatetheTrustResponderCertificatecheckbox.
4.
EnabletheRevocationCheckingoptiontoensurethatthecertificatetheSASeries
ApplianceandOCSPresponderareusinghasnotrecentlybeenrevoked.Thisoption
onlyhasanyimplicationsifyouspecifiedtheUseOCSPwithCRLfallbackoption.
5.
SpecifyaclockdiscrepancyvalueintheAllowclockdiscrepancyfieldtoaccountfor
possiblemismatchesintimestampsbetweentheSASeriesApplianceandtheOCSP
responder.Ifthemismatchissignificantenough,theSASeriesAppliancesimply
disregardstheresponsefromtheOCSPresponderasout-ofdateorexpired.
6.
ClickSaveChanges.
Related
Documentation
SpecifyingAttributesfortheTrustedClientCACertificate
UsingTrustedServerCAs
IfyouhaveaWebbrowsinglicense,youmayvalidatethecredentialsoftheWebsites
thatusersaccessthroughtheSASeriesAppliance.YoumustsimplyinstalltheCA
certificateoftheWebserversthatyoutrustontheSASeriesAppliance.
NOTE: AllofthetrustedrootCAsfortheWebcertificatesinstalledinInternet
Explorer7.0andWindowsXPservicepack2arepre-installedontheSASeries
Appliance.
751
Copyright©2012,JuniperNetworks,Inc.
Chapter29:Certificates
Then,wheneverauservisitsanSSL-enabledWebsite,theSASeriesApplianceverifies
that:
TheWebsite’scertificateisissuedbyoneofthetrustedrootCAchainsinstalledon
theSASeriesAppliance.
TheWebsite’scertificateisnotexpired.
TheWebsite’scertificateSubjectCNvaluematchestheactualhostnameofthe
accessedURL.(NotethattheSASeriesApplianceallowstheSubjectCNvalueto
containwildcardsintheformat:*.company.com.)
Ifanyoftheseconditionsarenotmet,theSASeriesAppliancelogsamajoreventtothe
useraccesslogandallowsordeniestheuseraccesstotheWebsitebasedonrole-level
settingsthatyouhaveconfiguredthroughtheUsers>UserRoles>SelectRole>Web>
Optionstaboftheadminconsole.(Ifyoudonotconfigurethesesettings,theSASeries
AppliancewarnstheuserthattheWebsite’scertificateisinvalid,butstillallowshimto
accessthesite.)
Related
Documentation
UploadingTrustedServerCACertificatesonpage752
RenewingaTrustedServerCACertificateonpage753
ConfiguringVirusSignatureVersionMonitoringandPatchAssessmentDataMonitoring
onpage306
UsingThird-partyIntegrityMeasurementVerifiersonpage323
UploadingTrustedServerCACertificates
UsetheSystem>Configuration>Certificates>TrustedServerCAstabtoimportthe
CAcertificatesoftrustedWebsitesintotheSASeriesAppliance.
TheSASeriesAppliancesupportsX.509CAcertificatesinPEM(Base64)andDER
(binary)encodeformats.NotethatyoushouldalsospecifywhattheSASeriesAppliance
shoulddoincaseswhereausertriestoaccessanuntrustedWebsite.
Copyright©2012,JuniperNetworks,Inc.
752
JunosPulseSecureAccessServiceAdministrationGuide
NOTE:
WhenuploadingacertificatechaintotheSASeriesAppliance,youmust
eitherinstallthecertificatesoneatatimeindescendingorderstartingwith
therootcertificate(DERorPEMfiles),oryoumustuploadasinglefileto
theSASeriesAppliancethatcontainstheentirecertificatechain(PEM
filesonly).Byusingoneofthesemethods,youensurethattheSASeries
Appliancecanlinkthecertificatestogetherinthecorrectorder.
TheSASeriesAppliancedoesnotsupportCRLrevocationchecksfortrusted
serverCAcertificates.
TouploadCAcertificatestotheSASeriesAppliance:
1.
Intheadminconsole,chooseSystem>Configuration>Certificates>
TrustedServerCAs.
2.
ClickImportTrustedServerCA.
3.
BrowsetotheCAcertificatethatyouwanttouploadtotheSASeries
ApplianceandclickImportCertificate.
Related
Documentation
RenewingaTrustedServerCACertificateonpage753
UsingTrustedServerCAsonpage751
RenewingaTrustedServerCACertificate
IfoneofyourtrustedWebsitesrenewsitscertificate,youmustuploadtherenewed
certificatetotheSASeriesApplianceaswell.
ToimportarenewedCAcertificateintotheSASeriesAppliance:
1.
Intheadminconsole,chooseSystem>Configuration>Certificates>TrustedServer
CAs.
2.
Clickthelinkthatcorrespondstothecertificatethatyouwanttorenew.
3.
ClickRenewCertificate.
4.
BrowsetotherenewedCAcertificatethatyouwanttouploadtotheSASeries
ApplianceandclickImportCertificate.
Related
Documentation
UsingTrustedServerCAsonpage751
UploadingTrustedServerCACertificatesonpage752
ViewingTrustedServerCACertificateDetails
YoucanviewavarietyofdetailsabouteachoftheCAcertificatesinstalledontheSA
SeriesAppliance.
753
Copyright©2012,JuniperNetworks,Inc.
Chapter29:Certificates
ToviewtrustedserverCAcertificatedetails:
1.
Intheadminconsole,chooseSystem>Configuration>Certificates>TrustedServer
CAs.
2.
Clickthecertificatethatyouwanttoview.
3.
UnderCertificate,usethearrownexttothefollowingfieldnamestoviewcertificate
details:
IssuedTo—Nameandattributesoftheentitytowhomthecertificateisissued.
IssuedBy—Nameandattributesoftheentitythatissuedthecertificate.Notethat
thevalueofthisfieldshouldeithermatchtheIssuedTofield(forrootcertificates)
ortheIssuedTofieldofthenextcertificateupinthechain(forintermediate
certificates).
ValidDates—Timerangethatthecertificateisvalid.
Details—Includesvariouscertificatedetails,includingitsversion,serialnumber,
signaturealgorithm,CRLdistributionpoints,publickeyalgorithmtype,andthe
publickey.(NotethattheSASeriesAppliancedoesnotsupportCRLcheckingfor
trustedserverCAcertificates.)
Related
Documentation
UsingTrustedServerCAsonpage751
UploadingTrustedServerCACertificatesonpage752
RenewingaTrustedServerCACertificateonpage753
UsingCode-signingCertificates
WhentheSASeriesApplianceintermediatesasignedJavaapplet,theSASeriesAppliance
re-signstheappletwithaself-signedcertificatebydefault.Thiscertificateisissuedby
anon-standardtrustedrootCA.Asaresult,ifauserrequestsapotentiallyhigh-riskapplet
(suchasanappletthataccessesnetworkservers),theuser’sWebbrowseralertshim
thattherootisuntrusted.
Ifyouimportacode-signingcertificatetotheSASeriesAppliance,theSASeriesAppliance
usestheimportedcertificatetore-signappletsinsteadofthedefaultself-signed
certificate.Asaresult,ifauserrequestsapotentiallyhigh-riskapplet,theuser’sWeb
browserdisplaysaninformationalmessageinsteadofawarning.Themessageinforms
theuserthattheappletissignedbyatrustedauthority.
TheSASeriesAppliancesupportsthefollowingtypesofcode-signingcertificates:
MicrosoftAuthenticodeCertificate—TheSASeriesApplianceusesthiscertificateto
signappletsthatrunoneitherMSJVMorSUNJVM.NotethatweonlysupportMicrosoft
AuthenticodeCertificatesissuedbyVerisign.YoumaypurchaseMicrosoftAuthenticode
Certificatesatthefollowinglocation:
http://www.verisign.com/products-services/security-services/code-signing/index.html
Copyright©2012,JuniperNetworks,Inc.
754
JunosPulseSecureAccessServiceAdministrationGuide
Documents you may be interested
Documents you may be interested