In all PKI setups, at least one trusted CA certificate has to be distributed to the managed environment. This may be the root CA certificate of the PKI, but there are often separate subordinate CAs or even separate PKIs for services and individuals, due to different CA policy requirements. A CA that issues host certificates for SSH Tectia Servers or web servers could, for example, publish a certificate revocation list (CRL) once a day, whereas a CA issuing certificates for users could publish a CRL once an hour - or provide an OCSP (Online Certificate Status Protocol) responder service, so that revocation status is reflected immediately on the environment.

SSH Tectia Manager eases the deployment and maintenance of the trusted CA certificate(s) in large SSH Tectia environments. PKI-related configurations for third-party applications are performed by the PKI setup and the applications themselves.

In some PKI setups, all the required configuration information is in the issued certificate, and load-balancing is embedded to the CA hierarchy/policy and validation access points. In such a scenario, SSH Tectia Manager ensures only the integrity of the certificate validation setup for both user and server certificate authentication and enables easy certificate enrollment and life-cycle management for SSH Tectia Servers.

In other PKI scenarios, several supporting options have to be configured in the client/server applications themselves, in addition to the validation access point settings. SSH Tectia Manager will help to maintain configuration consistency and ease the deployment in the event of changes.

The preconfigured internal PKI setup in SSH Tectia Manager with an HTTP CRL is ready to be used in server certificate enrollment and authentication. SSH Tectia Manager offers the possibility to create separate certificate authentication configuration sets to be assigned independently from general SSH Tectia software configurations. The sections below give examples of such configurations sets.