Privileged-User Types and ResponsibilitiesChapter 13 Managing Privileged Users and Groups 375Agent’s Certificate for SSL Client AuthenticationTo make a user an agent for a subsystem, one of the things you must do is store theuser’s client (personal) certificate information in the internal database of thesubsystem. For example, if you set up an agent for a Certificate Manager, you storethe agent’s client certificate in the internal database of that Certificate Manager.Then, when the subsystem receives a request from the agent, it uses this certificateto verify the authenticity of the request before servicing it. For details on how thesubsystem verifies the authenticity of a request from an agent, see “Authenticationof Agents” on page 492.If the user you want to set up as an agent does not own a client certificate, ask theuser to get one. Depending on your company’s PKI policy, the user could get theclient certificate from either an internally deployed CA or any public CA.Keep in mind that the CA that signs your agents’ certificates must be trusted by thesubsystem that processes requests sent by these agents; for example, if yoursubsystems are set up not to trust public CAs, your agents should not get theircertificates signed by public CAs. Make sure that the CA’s certificate exists in thesubsystem’s certificate or trust database and that the certificate is valid and trusted.To check whether or not the CA’s certificate exists in a subsystem’s trust database,follow the instructions in “Viewing the Certificate Database Content” on page 482.• If the CA’s certificate isn’t listed, follow the instructions in “Using the Wizardto Install a Certificate or Certificate Chain” on page 452 and add the certificateto the subsystem’s certificate database.• If the CA’s certificate is listed but untrusted, follow the instructions in“Changing the Trust Settings of a CA Certificate” on page 485 and change thesetting to trusted.Getting an Agent’s Certificate from a Public CAThe following general guidelines explain how a user can get a client certificatefrom a public CA and how you can copy that certificate (in base-64 encoded form)to the internal database of the appropriate subsystem:1. The user sends a client certificate request to the public CA from the clientmachine that he or she will use to access the subsystem from the AgentServices interface. It is important that the user generate and submit this requestfrom the machine she or he will use later to access the subsystem, because partof this request process generates a private key on the local machine.Alternatively, if location independence is required, the user can use ahardware token, such as a smart card, to generate and store the key pair (andthe certificate when the user receives it from the public CA).