Back to Home | Admin Console Help | Log Out
 Admin Console Help
 
Admin Console Help

Home

Content Sources

Index

Search

Reports

GSA Unification

GSAn

Administration
  System Settings
  Network Settings
  User Accounts
  Login Terms
  Change Password
  SNMP Configuration
  Certificate Authorities
  DNS Override
  SSL Settings
  LDAP Setup
  License
  Import/Export
  Event Log
  System Status
  Shutdown
  Remote Support
  Support Scripts

More Information

Administration > Certificate Authorities

Use the Administration > Certificate Authorities page to specify which certificates that the Google Search Appliance can trust. A certificate confirms the identity of the search appliance for secure network communications. By using this page, you can perform the following tasks:

Before Starting this Task

Before specifying certificates for the search appliance, complete the tasks shown in the following table.

Task Description
Import certificates Import a certificate if you provide HTTPS (SSL protected) search service for users, enable the search appliance to crawl protected content web servers, or authenticate user credentials provided to the search appliance by client SSL authentication.
Import a private key Import a private key if you provide HTTPS (SSL protected) search service for users.
Import PEM files Import privacy enhanced mail (PEM) files that contain the certificates that the search appliance should trust if you enable servers or OneBox providers to authenticate themselves to the search appliance during crawl.

Configuring Certificates

The search appliance uses certificates from a certificate authority (CA) certificates for four purposes:

  • Provide HTTPS (SSL protected) search service for users. In this case, you must import a certificate and private key for your search appliance to use, or create a new one in the Admin Console.
  • Enable the search appliance to crawl web servers that protect content with client SSL authentication. In this case, you must either import a certificate and private key for your search appliance to use, or create a new certificate in the Admin Console, which you can then export so that the web servers can be given the new certificate to trust.
  • Enable servers or OneBox providers to authenticate themselves to the search appliance during crawl. In this case, you must import privacy enhanced mail (PEM) files that contain the certificates that the search appliance should trust.
  • Authenticate user credentials provided to the search appliance by client SSL authentication. These credentials are then used to determine whether the user is allowed to view protected search results. In this case, you must import the certificates that the search appliance should trust.

Also, you may need to import certificate authorities when you are creating a forms authentication rule if the root CA that signed the certificates is not already installed on the search appliance.

Current Certificate Authority Certificates

Active CA certificates that the search appliance trusts are listed in the Current Certificate Authorities area. You can add a Certificate Authority without adding a Certificate Revocation List (CRL). The CRL contains a list of serial numbers of revoked, but unexpired, certificates. If the CA certificate has been revoked by a CRL, a checkmark appears next to the CA certificate in the list, and any server that uses that certificate will fail authentication. The search appliance supports CA certificates and CRL files in PEM format.

When installing certificates, ensure that your certificate chain is properly installed. The following two examples show valid certificate chains.

Example certificate chain 1:

Server certificate
Intermediate CA certificate

Example certificate chain 2:

Server certificate
Intermediate CA certificate
Root CA certificate

When a CA certificate is revoked:

  • Servers whose certificates are signed by that CA are not crawled.
  • OneBox providers whose certificates are signed by that CA are unable to respond to requests.

Using Default Certificate Authorities

By default, the search appliance uses its own store of preloaded certificate authorities. These default certificate authorities are used by most browsers. By using these default certificate authorities, the search appliance trusts the same servers that browsers trust. As a search appliance administrator, you have the following options:

  • Using the default certificate authorities without uploading any of your own certificate authorities
  • Using only your uploaded certificate authorities without using the default ones
  • Using both the default and uploaded certificate authorities

By using the options in the Default Certificate Authorities area of this page, you can disable or re-enable default certificate authorities. You can also download the default certificate authorities for viewing.

Uploading a CA Certificate

The search appliance will trust any certificate where it can build a chain to an imported certificate. Consider inheritance carefully when choosing which certificates to upload for the search appliance to trust; higher certificates in the chain grant larger trust.

  • If the certificate to be trusted is self-signed, just import that certificate.
  • If the certificate was issued by a self-signed root CA, then just import the CA's certificate.
  • If the certificate was issued by an "intermediate CA":
    • You may import the immediate issuer's certificate. This is simple and limits the scope of the trust (which may be desirable or undesirable, depending on your situation).
    • If your browsers are configured to provide their entire trust chain, then you may import any of the intermediate certificates along the chain, and/or the root certificate at the top of the chain.

Take note that if you upload the CA certificate with Enable default Certificate Authorities checked, then the uploaded certificate will not be displayed in the Admin Console. The uploaded CA certificate is displayed only when Enable default Certificate Authorities is not checked.

To upload a CA certificate from your network:

  1. Next to Add more Certificates Authorities, click Browse.
  2. Navigate to the Certificate Authority file (in the supported PEM format) on your network, and click Open.
  3. Click Save Settings.

Uploading a Certificate Revocation List

To upload a CRL from your network for a CA certificate:

  1. Next to Add Certificate Revocation List, click Browse.
  2. Navigate to the the CRL file (in the supported PEM format) on your network, and click Open.
  3. Click Save Settings. If the CRL is issued by a CA known to the system, it is accepted. A checkmark appears beside the revoked certificate.

Disabling and Enabling Default Certificate Authorities

The preloaded certificate authorities are enabled by default. You can disable them or re-enable them.

To disable default certificate authorities:

  1. Under Default Certificate Authorities, clear the Enable default Certificate Authorities checkbox.
  2. Click Save Settings.

To re-enable default certificate authorities:

  1. Under Default Certificate Authorities, click the Enable default Certificate Authorities checkbox.
  2. Click Save Settings.

Downloading Default Certificate Authorities

To download the default certificate authorities for viewing:

  1. Under Default Certificate Authorities, click Download.
  2. Browse to a location on the local computer for the file and click Save.

For More Information

For more information about certificate authorities, see "Managing Search for Controlled-Access Content," which is linked to the Google Search Appliance help center.
 
© Google Inc.