Request Certificates for a Cluster

Requesting certificates for a cluster differs from the process for a single appliance. To build certificate request for a cluster, create only one Certificate Signing Request from the first member of the Primary Site. Apply the certificate files to the first cluster member. Then download the private key, add it to the certificate, and apply the combined "Certificate with Private Key" to all other cluster members.
capam33
Requesting certificates for a cluster differs from the process for a single appliance. To build certificate request for a cluster, create only one Certificate Signing Request from the first member of the Primary Site. Apply the certificate files to the first cluster member. Then download the private key, add it to the certificate, and apply the combined "Certificate with Private Key" to all other cluster members.
Request a Certificate from a Third Party
To create a certificate request for a cluster, use this process. For a single appliance, see Create a Self-Signed Certificate or a Certificate Signing Request. To implement a certificate from a Third Party, follow this workflow:
Request Certificates for Cluster
Request Certificates for Cluster
Create a Certificate Signing Request
Follow these steps to create a Certificate Signing Request (CSR):
  1. On the Create tab of the Certificates page, select the
    CSR
    option for
    Type
    . Enter information for the following fields. Do not use special characters.
    • Key Size:
      We recommend 2048 bits. 4096 bits is more secure, but it slows down TLS handshakes and increases processor load during handshakes.
    • Common Name:
      Enter the FQDN of the cluster Virtual IP address, such as
      capam.ca.com
      . This field maps to the CN field of the X.509 certificate.
    • Country:
      Enter the two-letter country code, such as US, FR, or JP. This field maps to C value of the X.509 certificate.
    • State:
      Enter the optional State or Province, such as Illinois, or Quebec. This field maps to ST value of the X.509 certificate.
    • City:
      Enter the optional locality or city designation, such as Paris or Islandia. This field maps to L value of the X.509 certificate.
    • Organization:
      Enter the organization, typically a company, for the certificate, such as "Acme Technologies." This field maps to O value of the X.509 certificate.
    • Org. Unit:
      Enter the optional organizational unit name, typically a subdivision, or location of the Organization, such as "Security BU". This field maps to OU value/Organizational Unit designation of the X.509 certificate.
    • Days:
      Days are used only for self-signed certificates.
    • Use Common Name for SAN:
      Because some browsers require a value in the
      Alternative Subject Names
      field, the Common Name is repeated there by default. Clear this checkbox so that you can add more names to that field.
    • Alternative Subject Names:
      Enter the FQDN and IP address for the VIP and every member of the cluster. Any hostname or short VIP name that is used to access the cluster should also be added. If more than one address is used to access the appliance, list FQDN and IP address aliases to the Common Name, one to a line. This list must include the
      Common Name
      . Do not add a newline (line feed) after the last entry. Refer to the X.509 Subject Alternative Name.
    • Filename:
      Create a name for the certificate. This file name is also the name of the private key that is generated. The name must exactly match the name of the certificate when uploaded.
      Include the creation or expiration date in the filename. For example, name it
      PAM-Cluster_exp2019-07-19
      .
  2. Select
    Create
  3. On the
    Download
    tab, select the
    Filename
    of the CSR you created, which has a PEM (Privacy Enhanced Mail) extension.
  4. Select
    Download
    . Use this file to request a certificate from a third-party Certificate Authority (CA) such as Entrust. Users do not have to install root certificates because the third party validates the site.
  5. While still on the Download tab, select the Private Key from the
    Filename
    drop-down list. It is under the
    Private Keys
    heading, with the same name as the CSR, but a KEY extension.
  6. Enter a
    Password
    and
    Confirm Password
    for encrypting the private key. Record this password for later use.
  7. Select
    Download
    . Save the
    Private Key
    to add it later to the received Certificate for the other cluster members.
  8. Obtain a new certificate using the downloaded CSR. Follow the instructions from your third-party Certificate Authority to receive a certificate.
Apply the Third-Party Certificate to the First Cluster Member
Once you receive the certificate from the Certificate Authority, apply it to the first member of the primary site of your cluster. The certificate might consist of several files. Follow these steps:
  1. Rename the certificate that is received from the third party if necessary. The file name should be the same as the one that originally generated, but with a
    crt
    extension. For example, if the original PEM name was
    abc.pem
    , the uploaded file must be named
    abc.crt.
  2. On the cluster member that created the CSR, select the
    Upload
    tab. Select the certificate by using the
    Choose File
    button to find the certificate
    Filename
    .
  3. Select the appropriate
    Type
    , described as follows. If you receive multiple files from the CA, you upload them individually by type, in this order:
    • Use
      Certificate
      for the certificate that was requested by this appliance.
    • Do not use
      Certificate with Private Key.
      This option is used for every member except the first member of the primary site.
    • Use
      CA
      Bundles
      if a CA-chain certificate is provided by the CA.
    • Use
      Intermediate Certificate
      if an intermediate certificate is provided by the CA.
    • Use
      Certificate Revocation List
      if a CRL file is provided by the CA. After you upload the CRL, it appears on the Certificate Information page. If the CA uses an OCSP (Online Certificate Status Protocol) responder (server), you do not receive a CRL file. You should then select
      Use OCSP
      on the
      CRL Options
      tab.
  4. For
    Other Options
    , select the applicable format (X509 or PKCS) for the certificate.
  5. Use
    Destination Filename
    to change the filename of the certificate. This field can be left blank if the name stays the same.
  6. If the certificate requires it, enter the
    Passphrase
    , then re-enter it in
    Confirm
    .
  7. Stage the new certificate. If the cluster is on, stop it (Configuration, Clustering, Status, Turn Cluster Off). On the
    Set tab
    , select the certificate that is generated by the third-party CA.
  8. Select
    Verify
    to ensure that
    Privileged Access Manager
    accepts the certificate.
    Either a confirmation phrase or error message is provided at the top of the page.
    If the cluster is on, stop it before applying the certificate. (Go to
    Configuration
    ,
    Clustering
    ,
    Status
    ,
    Turn Cluster Off
    .) Applying the certificate causes the appliance to reboot.
  9. After the verification, select
    Accept
    to stage the new certificate for activation.
    The appliance reboots.
  10. After the reboot, return to the
    Configuration, Security, Certificates
    page. On the
    Set
    tab, the
    System Certification
    field shows the newly activated certificate name.
Prepare the Certificate for Subsequent Cluster Members
The CSR is only created on the first member of the cluster, using the VIP as its Common Name. The resulting CA certificate can be used on every cluster member. However, the other cluster members do not have the Private Key that was generated on the first member. Create this file once to use with all subsequent cluster members.
Combine the KEY file that you downloaded from the first cluster member and the received CRT file into a new PEM file. Use the
cat
command on a Linux computer for best results. For example:
cat pamcluster.key pamcluster.crt > pamcluster.pem
The resulting file should look like the following code block:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,58B125ACF0792928BA28D7BC53901D86 FiR1gSddsYYDVQ7CCI0/gqC7L1mzct8GnzhmQ+47CNXkoosE4B3EWG25o3S/skaF QUAF8hdMHo0GapDpPyAspAjfUa2+ZPrKeRbISYyn4JIn3wKduhfqziJR2vzZwQFL l+cKhCv3aSKh+3/ZqR5+puDWjbgfpsR5F9XPjjqKJLrdmt3qxaSjzkoQNLi7Xfpr So35vADIJt9nP0jJ3tGAtVThMR1yaJaG1B71GkqShJ+X7o0np/Y7V14EXaV6WTrA uRia8YETRDlBcFBxj7VEfYiI+/1x4qx1CglWAJz4oL1mplEglWX/q8EeTz0TXduY ADrtffYGhjzoSOjWZjLKSa3zAYo0dLgKpiToNNm2JGipHMg8jnmtg9di52AOwqwr 266oqOaRnQ5OShpJOyxpwMpgbbalSekdZzdhFiWaQCg58coQnm6kSdPGwROp3g+L l0HWKoQJMVsHjZn5hn7YepD0x01aiiKCxxKkziYtY4jdbQaNOm2FmTz1xrt2AsRH OAYgXfbKOM2FfGHAfMsWR++edch77+sc4uY+1B/NuB/gvHKtADwIGC7BLlEtaQEF aRp1P5Nu1JEXlEVfAHjv36IOUsVDpnM9jHs981G8oBefWS/Ca6QVE6hPPlaTd8i1 JuAFo8jsxT18OWIU6K/J2d53WD2zqDpIhuo5SwQQFSyKUo1e0dArpYVxpuPFHXxT uhZgxN+pKG9KYMjtvkUqpD1rS7eXqwoK2buR2Z9LUGZ7uFFZzF5+41w+/GlSkmF9 ND+YdIlrxdni+MnGyuRdJVWjR9rM6Z2ob7/FoXqeCOwAoJCyzucWWcHH+2oItBf6 TwmcdEfVq7dEoJdu9QdgrYR2oEDm22DTbEqSDCbT+J+GNAYlUPWTHjugJ2vjwW4D 6VGQhXa5Hiipmz4FmR43gV1EKUGvSAtXHyLznp/BDHm9KdoagBINUk3U130hMOPw 3Me91epgruKLHUMs07CCqHbkkgldDNCAKWlPpgQFXhqEH9dnfAbWZROxN2ekms66 RzB7+/QsGHKN7E7Z5CiUp7snKs+6NNgRdJeWbDZtmXJiAH/j4CKNNwIhYOaPN4Ox hS6ySqkZpm5NKNmDh21KM6VZsq2JU/jnXPfSqqqvuRFKgUDHvW7YvzwcG8h9ZQXu fo3wz1z8p0ukpBro2MIPZIhfdZZCcmlFPzpvlPeCvtyhaHLJs4AIvWV7cxhWNsyb KxCM9KASv4+5zNgqS2sPOIiu+QMFvobkkHliTowPHLBefattET0+ljQWivBW4B/4 j9wgrxTpTQ5Kv2MfX5AhLXdCAhYWL5OyxsrXQY5MkcNuXY+AIAUMVt/HSaQsjYLD v5R830SnhyeeJy7lHaBjNyF8DqwhtMrEuDVkSGRyynEaUTK2uqUalLZUZSvPrZc4 +g3zW9ppjCbqoBLorwK4q9G2j3LaHoXysnxjgCWt41GHELbAEnphb4zahU+d+Mj2 LlwJprw0adcLsw/p6ck0/IySLGJtjum4qRfQQPnD6pZQ+WjkyFZJqVDm8San01ie dJ6yBQlPJAspJLQNHHtG6TCZUcO93agKNd8T3RfbMygl0xVtWvOIYk5FeWz7YqIi -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIFqTCCA5GgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAweTELMAkGA1UEBhMCVVMx CzAJBgNVBAgMAk5ZMREwDwYDVQQKDAhDQSwgSW5jLjEnMCUGA1UECwweQ0EsIElu Yy4gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSEwHwYDVQQDDBhDQSwgSW5jLiBJbnRl cm1lZGlhdGUgQ0EwHhcNMTgwNjI4MjAwMzA0WhcNMTkwNzA4MjAwMzA0WjBiMQsw CQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxDjAMBgNVBAcMBUxpc2xlMRgw FgYDVQQKDA9DQSBUZWNobm9sb2dpZXMxFjAUBgNVBAMMDTEwLjI0Mi4zOS4xNzMw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCNmnC1HMr6WQN84dSk7+2 WFzA+FPtlWADKGs1Kz/wdc4kyVEvhzEV6u2CwndY6ORWioTkcerLnUmJ1/wQ8ojO qHMvClGcTT0Uic7sNtKGoh/wYDK/x6N8Gtj8TWDZ9YOb/UYG4OHe2vvdp+esB29W zls+49+bwdSm//9NO6B72c/DGv80J9KIhUW1JK+B1nHlztivnxWJezLq6NiP9jQ+ xFNv8MECsY9cVhmIJMT5cluc5cojFcFY2+5aQzIRwrcux61t2L/CwHF5tQlhtbN3 JnjcdGt1XhEd2cz24T00tQGbxElA4z4/rNC25CrF6TIxoiFe68cqFnA0XEuK6qHv AgMBAAGjggFQMIIBTDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglg hkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRl MB0GA1UdDgQWBBRamPBYA2gE++tvcLcmK+2H0lLQATCBsgYDVR0jBIGqMIGngBR0 SZjZFHL//vqS70zxAak6X4dxlKGBiqSBhzCBhDELMAkGA1UEBhMCVVMxCzAJBgNV BAgMAk5ZMREwDwYDVQQHDAhJc2xhbmRpYTERMA8GA1UECgwIQ0EsIEluYy4xJzAl BgNVBAsMHkNBLCBJbmMuIENlcnRpZmljYXRlIEF1dGhvcml0eTEZMBcGA1UEAwwQ Q0EsIEluYy4gUm9vdCBDQYICEAAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG CCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQBl0cR5k7fBrF+kTU5YE8Lc48aX pQ9ybax2chJLfSdHUS1G+qldTatPhWqrKZsCYX7RA07+BB8VBxPie05eIL/azGrD Pdy7tzMm0iGm68uBe7lZW/3itXv2K1SNUEMdHTy787K+2/g8GqXC7Pdf6Nc1rIyl 98nqAPUgAUhBrgCBht1yj+OQpLFll6No/7o81gSkujCRxICW/fDBqRZd7HZ8WZjg m2zfbbZhpaay2leaVdKEOXzQNaexYGF4U9II/00JuBzAS0eoszNVbuwHWP+yzPdL Vg3Xtt4EasEV6/0izqsTpyCh9rnBVF1AFVOFWYAe+HPmJju8Vejzt7VU0EST7pA8 Okc9MUoRIyfO3g8qO7uC9DM+026ymxWat6dNy8tepkALrx12xI/oqD8zqT3BxA5R tISVCcszTdfdmAf+4DKlEbaqeUIDG8uIuBH8kR/oX7LrLZotWLl7piuqpvK3pcrB fizdZ6/+FR5GwhOYT+VdZS0FuoVrTVE6iwm+oPO0Gu35pFhKYshV/c2Hnf5NvMPY 0XU7vV5wlG+LbY5Z8u2ziOEiTg+9+uNrA/ryt8MG9Q/svHlOf2C8azUeY6Ykl3mC te7V+qAJ/ZACWhOlp/ycy8mgGIYbyuzHXKQfaJbgmR0ygaEaeoPaQp6pXycjlpSM O2zmSDDfvuQcWjhR4g== -----END CERTIFICATE-----
Apply the Certificates to Subsequent Cluster Members
Follow these steps on every cluster member other than the CSR creator.
  1. On the
    Upload
    tab, select the certificate by using the
    Choose File
    button to find the certificate
    Filename
    .Select the appropriate
    Type
    , described as follows. If you receive multiple files from the CA, you upload them individually by type, in this order:
    • Use
      Certificate
      if the CSR was generated by this appliance.
    • Use
      Certificate with Private Key
      to upload the file you created in Create the Certificate with Private Key. You need the password that you created when downloading the Key.
    • Use
      CA
      Bundles
      if a CA-chain certificate is provided by the CA.
    • Use
      Intermediate Certificate
      if an intermediate certificate is provided by the CA.
    • Do not upload the
      Certificate Revocation List
      . The CRL information is replicated from the first member across the cluster.
  2. For
    Other Options
    , select the applicable format (X509 or PKCS) for the certificate.
  3. Use
    Destination Filename
    to change the filename of the certificate. The "Destination Filename" must match the name of the CSR to match the private key properly. This field can be left blank if the name stays the same.
  4. If the certificate requires it, enter the
    Passphrase
    , then re-enter it in
    Confirm
    . The Certificate with Private Key requires the password that you created when downloading the Key.
  5. Stage the new certificate. If the cluster is on, stop it (Configuration, Clustering, Status, Turn Cluster Off). On the
    Set tab
    , select the certificate that is generated by the third-party CA.
  6. Select
    Verify
    to ensure that
    Privileged Access Manager
    accepts the certificate.
  7. Either a confirmation phrase or error message is provided at the top of the page.
  8. After the verification, select
    Accept
    to stage the new certificate for activation.
    The appliance reboots.
  9. After the reboot, return to the
    Configuration, Security, Certificates
    page. On the
    Set
    tab, the
    System Certification
    field shows the newly activated certificate name.
  10. After all cluster members have their certificates set, start the cluster (Configuration, Clustering, Status, Turn Cluster On).