A trusted SSL certificate is required for Workspace ONE Access connector servers that have the Kerberos Auth service installed. For the Kerberos Auth service, the connection is inbound and end users establish SSL connections to the connector.
Requirements for the trusted SSL certificate for the Kerberos Auth service include:
- The certificate must be in either PEM or PFX format.
- If the certificate is a PEM file, you must also upload the private key.
- The certificate key length must be from 1024-4096 bits.
- Make sure that the certificate file contains the entire certificate chain in the correct order.
- The certificate must be signed by a public or internal CA.
- If you deploy multiple instances of the Kerberos Auth service to set up high availability for Kerberos authentication, a load balancer is required in front of the instances. In this case, the load balancer as well as all the connector instances must have trusted SSL certificates signed by a public or internal CA. For the load balancer certificate, use the Workspace IdP Hostname, which is set in the Workspace IdP configuration page, as the Subject DN Common Name. For each connector instance certificate, use the connector host name as the Subject DN Common Name. Alternatively, you can create a single certificate, using the Workspace Idp host name as the Subject DN Common Name, and all the connector host names as well as the Workspace Idp host name as Subject Alternative Names (SANs).
Note: If you did not upload a trusted SSL certificate during installation, a self-signed certificate was auto-generated. If you want to use this Workspace ONE Access generated self-signed certificate, you will need to add the root certificate generated by Workspace ONE Access to clients' truststores. You can get the root certificate,
root_ca.per, from
INSTALLDIR\Workspace ONE Access\Kerberos Auth Service\conf.
While you can use the self-signed certificate for testing purposes, for production usage we recommend you use trusted SSL certificates signed by a public or internal CA.
Prerequisites
Obtain a trusted SSL certificate signed by a public or internal Certificate Authority (CA).