1. Developing and Deploying Siebel CRM
  2. About Selecting a Certificate Authority

About Selecting a Certificate Authority

The following options are available when choosing a certificate authority (CA):

  • Trusted Root Certificate Authority. These are external companies who are inherently trusted by various operating systems and browsers, such as Symantec or GeoTrust. This is the preferred option because most components, including end-user browsers, will trust a certificate issued by a Trusted Root CA without requiring special action. This is a required approach for any environment that will be Internet-facing, such as a customer or partner portal.

  • For environments that are specifically internal, you can use an existing internal CA to issue a certificate. In this scenario, machines within the corporate network will typically already be configured to trust the internal CA, and therefore a certificate signed by that CA to servers running Siebel CRM will inherently be trusted by internal clients.
    Note: You cannot use this method for Internet-facing environments. External computers and other devices will not trust the certificate and will therefore throw security warnings when a user accesses the Siebel CRM environment. This method is sufficient only for specifically internal production environments and development, such as test or training environments and so on.

  • When no internal CA is available and it is not feasible to obtain a certificate from an external Trusted Root Certificate Authority, you can create your own CA. However, anyone who accesses this environment will receive certificate security errors unless they manually import the root certificate for your CA. We recommend that you consider this method only when no other options are possible, and that it is used only for development and test environments.

After selecting a CA, submit your certificate request and the CA will issue an actual certificate.

The CA provides the specific information required to make the certificate request. An important consideration during this process is how you select Subject Alternative Names (SANs). These allow multiple machines to use the same SSL certificate. For example, if you want to install Siebel CRM components on five servers: server1.mycompany.com, server2.mycompany.com, server3.mycompany.com, and so on, you can create a single certificate request on any machine, providing all five machine names to the CA as SANs. You can then install the resulting certificate on all of your servers. It is also possible to request a wildcard certificate, for example, *.mycompany.com, which can be used on all servers.