Certificates

  • A user can only have one certificate assigned. If this user certificate is stored on a token, then users can only log on to their endpoint using this token (cryptographic token - Kerberos).

  • Note that, when importing a user certificate, the certificate's public and private sections are both imported. If only the public part is imported, only token authentication is supported.

  • The combination of CA certificates and CRL (Certificate Revocation List) must match. Otherwise users cannot log on to the respective endpoints. Please check that the combination is correct. SafeGuard Enterprise does not carry out this check!

  • If Certification Authority (CA) certificates are deleted in the database and you do not wish to use them again, you should remove these certificates manually from the local store of all administrator computers.

    SafeGuard Enterprise can then only communicate with expired certificates if old and new keys are present on the same token.

  • CA certificates cannot be obtained from a token and stored in the database or certificate store. If you use CA certificates, they need to be available as files, not just on a token. The same applies to CRLs.

  • Certificates generated by SafeGuard Enterprise are signed with SHA-1 or SHA-256 for verification. SHA-256 provides enhanced security and is used by default with first-time installations. If SafeGuard Enterprise 6 or earlier endpoints still need to be managed or when upgrading from a previous version, SHA-1 is used by default.

  • Certificates provided by the customer and imported into SafeGuard Enterprise are currently not verified according to RFC3280. For example, we do not prevent using signature certificates for encryption purposes.

  • The logon certificates for security officers must be located in the “MY”certificate store.

The Assigned Certificates list in Keys and Certificates only shows the certificates assigned to objects for which you have Read only or Full access rights. The Certificate view indicates the number of all available certificates, regardless of your access rights. The Assigned Certificates list shows the number of certificates available according to your access rights.

To modify certificates, you need Full access rights to the container the users resides in.