|
Admin Console Help
Home |
Administration > Certificate AuthoritiesUse the Administration > Certificate Authorities page to specify which certificates that the Google Search Appliance can trust. A certificate confirms the identity of the search appliance for secure network communications. By using this page, you can perform the following tasks:
Before Starting this TaskBefore specifying certificates for the search appliance, complete the tasks shown in the following table.
Configuring CertificatesThe search appliance uses certificates from a certificate authority (CA) certificates for four purposes:
Also, you may need to import certificate authorities when you are creating a forms authentication rule if the root CA that signed the certificates is not already installed on the search appliance. Current Certificate Authority CertificatesActive CA certificates that the search appliance trusts are listed in the Current Certificate Authorities area. You can add a Certificate Authority without adding a Certificate Revocation List (CRL). The CRL contains a list of serial numbers of revoked, but unexpired, certificates. If the CA certificate has been revoked by a CRL, a checkmark appears next to the CA certificate in the list, and any server that uses that certificate will fail authentication. The search appliance supports CA certificates and CRL files in PEM format. When installing certificates, ensure that your certificate chain is properly installed. The following two examples show valid certificate chains. Example certificate chain 1: Server certificate Example certificate chain 2: Server certificate When a CA certificate is revoked:
Using Default Certificate AuthoritiesBy default, the search appliance uses its own store of preloaded certificate authorities. These default certificate authorities are used by most browsers. By using these default certificate authorities, the search appliance trusts the same servers that browsers trust. As a search appliance administrator, you have the following options:
By using the options in the Default Certificate Authorities area of this page, you can disable or re-enable default certificate authorities. You can also download the default certificate authorities for viewing. Uploading a CA CertificateThe search appliance will trust any certificate where it can build a chain to an imported certificate. Consider inheritance carefully when choosing which certificates to upload for the search appliance to trust; higher certificates in the chain grant larger trust.
Take note that if you upload the CA certificate with Enable default Certificate Authorities checked, then the uploaded certificate will not be displayed in the Admin Console. The uploaded CA certificate is displayed only when Enable default Certificate Authorities is not checked. To upload a CA certificate from your network:
Uploading a Certificate Revocation ListTo upload a CRL from your network for a CA certificate:
Disabling and Enabling Default Certificate AuthoritiesThe preloaded certificate authorities are enabled by default. You can disable them or re-enable them. To disable default certificate authorities:
To re-enable default certificate authorities:
Downloading Default Certificate AuthoritiesTo download the default certificate authorities for viewing:
For More InformationFor more information about certificate authorities, see "Managing Search for Controlled-Access Content," which is linked to the Google Search Appliance help center. |
||||||||||
© Google Inc. |