How to use any client certificate as an Administrator in another KCA installation?
Originally Published: 2001-07-06
Article Number
Applies To
Issue
There are two Keon CA installations on two different machines, say KCA-A and KCA-B. KCA-A issued a client certificate. This client certificate needs to be configured as an administrator for KCA-B.
Resolution
1. Create and issue a certificate from KCA-A.
2. On KCA-B, from 'CA Operations' workbench, click on 'Trust CA certificate' in the Navigation Area under 'External CAs' section.
3. Enter the 'CA Nickname', 'Host name', 'Port' (if this is a non-RSA CA, the port must point to LDAP and not to SSL-LDAP) and enable 'Non-RSA Security CA'. Lastly, paste the PEM of the CA in the specified text area (including header and footer) then click 'Trust this CA' button. If the configuration is correct, the system will display a "#" sign beside the CA Nickname in the Navigation Area.
4. Restart KCA-B.
5. On KCA-A, generate a CRL for the trusted CA. (From 'CA Operations', view the trusted CA and click on 'Generate CRL' button at the bottom of the page.) Copy the CRL PEM including the header and footer.
6. On KCA-B, from 'CA Operations', view the trusted CA. Using the vertical scroll bar, search for and click the 'Import' button under 'CRL Operations:' section.
7. Under 'Manually Import a CRL:' screen, paste the CRL PEM (from step 5) into the text area and click 'Import this CRL'. If the import is successful, the system will display the message "CRL import successful".
8. Click on 'System Configuration'. Click on "/ca/" ACL object. Add a new rule with the MD5 hash of the certificate created in step 1. To do that, click the "+" sign which is beside the 'Rules' box. For 'Access granted by this rule:' choose 'Read'. Under the Graphical Rule Editor, select "Client" then select "CA's MD5 digest" and choose "is". Lastly, paste the MD5 on the last field. Click "Commit rule changes" then click "Save ACL..." button.
9. Add a new rule for "/inst-forms/" ACL object using the same MD5 value.
10. Now you will be able to connect to KCA-B administrative interface using the certificate created in step 1.
Related Articles
Snowflake-integration-configuration-relying-party Number of Views Bugsnag-integration-configuration-relying-party Number of Views Start DB Logging button disabled in RSA Identity Governance & Lifecycle Number of Views Bonusly-integration-configuration-relying-party Number of Views Shufflrr - SAML Relying Party Configuration - SecurID Access Implementation Guide Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
