This is for 7.5.  I have a client application set up in the DCM.  No client certificates are assigned.  I have the required CA cert in the system store and enabled.  When I have Define the CA Trust List set to No everything works fine.  But when I have it set to Yes and add the CA to the trust list, I get a failure that the certificate is not signed by a trusted certificate authority.  I know I am using the correct CA because when I set the Define the CA Trust List back to No and disable the CA in the system store it fails.  So my question is, is a client certificate required in order to define a CA trust list?  If I do assign a client certificate it still does not work so I guess I am just lost on when to use this feature. 

------------------------------
Zachary Johnson
------------------------------

Dear Zachary

IIRC, you can add only root certificate(s) to a CA trust list, not the client/Server ones. This means that you need to import the client/server certificate that comes WITH its ROOT certificate (from which the client/server certificate is derived).    You can check if a client/server certificate comes with its root certificate or not by Windows certificate viewer. 

I also have a faint memory that you should also see the associated root certificate in *SYSTEM store after you import the client certificate that comes with the root one. Please look if you see one (but you may need to be informed of the root certificate's name to recognize one).  If you do not see the root one, then you cannot use CA Trust List.   Since you mention your application already works without a CA Trust List, you can decide if you really need a CA Trust List. If so, you ask for a new one with a root certificate.

Defining a CA trust list for an application :  https://www.ibm.com/docs/en/i/7.5?topic=authentication-optional-defining-ca-trust-list-application

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein
------------------------------
Satid S.
------------------------------

Original Message:
Sent: Fri August 04, 2023 10:15 AM
From: Zachary Johnson
Subject: Digital Certificate Manager CA Trust List

This is for 7.5.  I have a client application set up in the DCM.  No client certificates are assigned.  I have the required CA cert in the system store and enabled.  When I have Define the CA Trust List set to No everything works fine.  But when I have it set to Yes and add the CA to the trust list, I get a failure that the certificate is not signed by a trusted certificate authority.  I know I am using the correct CA because when I set the Define the CA Trust List back to No and disable the CA in the system store it fails.  So my question is, is a client certificate required in order to define a CA trust list?  If I do assign a client certificate it still does not work so I guess I am just lost on when to use this feature. 

------------------------------
Zachary Johnson
------------------------------

I just recall another possibility.  A few months back, I used to encounter a failed TLS-enabled connection. When I validated the CA involved in DCM, the validation was successful. Then I tried the connection again and it worked. 

If you are sure you select the correct root certificate (Certificate Authority as seen from DCM) for the CA Trust List, please Validate the CA to see if it can be validated without any issue.  

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.
------------------------------

Original Message:
Sent: Fri August 04, 2023 10:15 AM
From: Zachary Johnson
Subject: Digital Certificate Manager CA Trust List

This is for 7.5.  I have a client application set up in the DCM.  No client certificates are assigned.  I have the required CA cert in the system store and enabled.  When I have Define the CA Trust List set to No everything works fine.  But when I have it set to Yes and add the CA to the trust list, I get a failure that the certificate is not signed by a trusted certificate authority.  I know I am using the correct CA because when I set the Define the CA Trust List back to No and disable the CA in the system store it fails.  So my question is, is a client certificate required in order to define a CA trust list?  If I do assign a client certificate it still does not work so I guess I am just lost on when to use this feature. 

------------------------------
Zachary Johnson
------------------------------

Hi Zachary.
It seems you correctly understand the process of defining the CA as trusted and enabled in the DCM application.
The reason you would use this feature is when you want your client application to ensure it is not being spoofed by some other server that is sending a certificate during TLS handshake.  By having the CA Trust List enabled and only the CA certificates defined in that trust list that are expected, then the system will ensure the certificate being received from the server during TLS handshake is issued by one of the CAs in your list.

Note that if you are only adding in the Root CA certificate, you might be seeing a failure to validate because an intermediate CA is also needed in that CA trust list.
In the example posted by Satid, there is a "VeriSign" Root CA which issued the intermediate CA certificate named "Verisign Class 3 Extended Validation SSL SGC CA".  That intermediate CA issued the "mail.live.com" certificate.  If the client application received the "mail.live.com" certificate during TLS handshake, then you would need both the VeriSign Root and Intermediate CA in the CA trust list in order to correctly validate the certificate.

You only need to assign a client certificate to the application when the server and client are using mutual authentication.  It's very normal for a client to validate the certificate received from the server.  But sometimes, a server application might be defined to only allow specific clients to connect to the server.  They can check that the correct client is connecting by requesting the client to send a certificate during handshake and it would be the certificate assigned to the client application that would be sent.

------------------------------
Thom Haze
------------------------------

Original Message:
Sent: Fri August 04, 2023 10:15 AM
From: Zachary Johnson
Subject: Digital Certificate Manager CA Trust List

This is for 7.5.  I have a client application set up in the DCM.  No client certificates are assigned.  I have the required CA cert in the system store and enabled.  When I have Define the CA Trust List set to No everything works fine.  But when I have it set to Yes and add the CA to the trust list, I get a failure that the certificate is not signed by a trusted certificate authority.  I know I am using the correct CA because when I set the Define the CA Trust List back to No and disable the CA in the system store it fails.  So my question is, is a client certificate required in order to define a CA trust list?  If I do assign a client certificate it still does not work so I guess I am just lost on when to use this feature. 

------------------------------
Zachary Johnson
------------------------------