PingAccess

Creating trusted certificate groups

Create a new trusted certificate group.

Steps

  1. Click Security and then go to Certificates → Trusted Certificate Groups.

  2. Click Add Trusted Certificate Group.

  3. Drag a certificate into the box that appears.

  4. In the Name field, enter a name for the group.

  5. To set the new group to include the Java Trust Store group, select the Use Java Trust Store check box.

    Select this option if you create your own intermediate certificate authority (CA) certificate that is signed by a well-known CA in the Java Trust Store.

  6. To allow PingAccess to ignore date-related errors for certificates that are not yet valid or have expired, select the Skip certificate date check check box.

  7. To check the client certificate revocation status using certificate revocation list (CRL), select the CRL checking check box.

  8. To check the client certificate revocation status using Online Certificate Status Protocol (OCSP), select the OCSP check box.

    If both certificate revocation list (CRL) checking and Online Certificate Status Protocol (OCSP) are enabled, OCSP checking is used preferentially, and CRL checking is used if OCSP fails.

  9. To deny access when any certificate in the certificate chain cannot be verified using its CRL endpoint, select the Deny when unable to determine revocation status check box.

  10. To validate client certificate chains that are not in the standard order, such as a reversed certificate chain of [root, intermediate, leaf], select the Validate disordered certificate chains check box.

  11. To skip validation of any CA certificates configured in the trusted certificate group and their subsequent chain of issuers when trusted CA certificates are found in the client certificate chain, select the Bypass trust anchor validation check box.

  12. Click Add.

  13. Optional: Add additional certificates to the new trusted certificate group by dragging them into the group.

    PingAccess has increased WARN logging during the certificate revocation check. You can adjust the log level using the AsyncLogger in log4j2.xml (search for "Certificate Revocation").

    A commented out JAVA_SECURITY_OPTS line is shipped as part of the run.sh and run.bat scripts.

    Uncommenting the JAVA_SECURITY_OPTS line enables extra java security logging/debugging for the PKIX CertPathValidator and CertPathBuilder implementations. You can use the ocsp option with the certpath option for OCSP protocol tracing.