Configuring Multi-Person Control

You can configure the Management Console to require more than one authorized person sponsorship before an issuer certificate is trusted or a new Management Console user account is enabled.

Multi-Person Control can be used in Delegated Path Validation (DPV) applications to prevent new issuer certificates from being trusted until they have been sponsored by multiple authorized persons.

The ability to sponsor an issuer certificate or a Management Console user account is restricted to user accounts that have the administrator role. For details on how to use the Multi-Person feature, refer to Administrator Operations - User Accounts. This section summarizes the process to enable this feature as follows:

  1. Select the Multi-Person Control Required option.

  2. Click Next.

  3. After the Validation Authority Configuration is complete, log on to the Management Console admin account created by the Validation Authority Configuration utility. Then, add a user account with the administrator role for each person responsible for sponsoring issuer certificates and other user accounts. For details, refer to the Create New User Account.

  4. Instruct individual users whose accounts include the administrator role to log on to their respective accounts, perform any desired account updating (such as, changing their password or configuring their account to require a certificate when logging on), and sponsor the other administrator accounts. For details, refer to Update an Existing Account and Sponsor a User Account.

    Important:

    After Multi-Person Control has been enabled, user accounts are inactive until they have the required number of sponsors. To prevent users from being locked out of the Management Console, make sure that all users with the administrator role have been sponsored by the desired minimum number of sponsors before you re-run the Validation Authority Configuration to enable Multi-Person Control.

    After enabling Multi-person control, the Master Admin user cannot log on again. Use one of the new Administrator users created by the Master Admin to log on after Multi-Person Control has been enabled. For information about viewing the sponsorship status of user accounts, refer to View Sponsorship Details.

  5. Re-run the Validation Authority Configuration utility. When you reach the Multi-Person Control page, specify in the Required Sponsors field the minimum number of authorized sponsors that are required to sponsor issuer certificates or additional accounts. Then, click Next to enable Multi-Person Control.