Tectia Client and Tectia ConnectSecure need to be separately configured to authenticate server hosts using host certificates. The authentication settings can be configured in Configurations → Edit Configurations → Tectia → Client under the PKI page.
The following settings need to be configured:
The list of trusted CA certificates. These are used to check the validity of host certificates.
In case Tectia Manager Internal CA is used, defining the trusted certificate is the only required setting. To use the Internal CA, select Internal Root CA as the CA certificate.
The LDAP servers used to retrieve CRLs and subordinate CA certificates in a CA hierarchy should be configured. These settings are necessary only if the host certificates themselves do not contain valid
Authority Info Accessand/or
CRL Distribution Pointextensions.
If OCSP should be used instead of CRLs and the host certificates themselves do not contain the information, the default OCSP responder URL should be configured.
If CRL checking is disabled, the LDAP server and OCSP responder URLs do not need to be configured. CRL checking should be disabled for testing purposes only.
Activating the settings requires assigning the configuration to the appropriate hosts and redeploying the configurations.