66 Novell Access Manager 3.1 SP1 Administration Console Guidenovdocx (en) 19 February 20106 Select one of the certificates in the list.You are prompted to choose either a server certificate or a root CA certificate. To trust onecertificate, choose Server Certificate. Choose Root CA Certificate to trust any certificate signedby that certificate authority.7 Specify an alias, then click OK.You use the alias to identify the certificate in Access Manager.8 On the User Store page, click OK.9 Restart the Identity Server.3.3.2 Replacing Identity Server SSL CertificatesThis procedure allows you to replace a trusted root certificate that is stored in the trust store assignedto the Identity Server. You must create an SSL certificate for the Identity Server and then replace thepredefined test-connector certificate that comes with Access Manager. You can also replace the test-provider and test-consumer certificates in the NIDP-provider and NIDP-consumer keystores. Thesteps for replacing the signing, encryption, provider, and consumer certificates are similar.You can also add the trusted roots to the trust stores used by the Identity Server, or auto-import themfrom a server. The NIDP trust store is the certificate container for CA certificates associated with theIdentity Server.You can also access the OCSP trust store to add OCSP server certificates. Online Certificate StatusProtocol is a method used for checking the revocation status of a certificate. For this feature, youmust set up an OCSP server. The Identity Server sends an OCSP request to the OCSP server todetermine if a certain certificate has been revoked. The OCSP server replies with the revocationstatus. If this revocation checking protocol is used, the Identity Server does not cache or store theinformation in the reply, but sends a request every time it needs to check the revocation status of a