Create a Self-Signed SSL Certificate for Use in a Testing Environment
How to create a self-signed SSL certificate for use in testing environments.
3-4
As an administrator, you can create a self-signed SSL certificate, which is recommended as the minimal requirement to prevent security risk. This option is available at no cost, and useful for testing environments.
To obtain and install an SSL certificate for a single-server production environment, see Obtain and Apply SSL Certificates for a Single-Server Production Environment.
To obtain and install an SSL certificate for a clustered production environment, see Obtain and Apply SSL Certificates for a Production Cluster.
For production environments, Secure Connections Using SSL CertificatesGenerating a Certificate Signing Request (CSR) requires more steps and might involve a cost. A CSR is ordinarily used when organization policy requires it. To generate a CSR and certificates for a cluster, see Obtain and Apply SSL Certificates for a Production Cluster.
2
Video Overview
This short video provides an overview of the procedure to create a self-signed certificate.
Create the Self-Signed Certificate
Use this procedure to create a self-signed certificate.
Follow these steps:
- in the PAM UI, navigate toConfiguration,Security,Certificatespage.Stay on theCreatetab which opens by default.
- Select theSelf-Signed Certificateoption forType.
- Enter information in the following fields. Only the fields with a red asterisk are required. Do not use special characters.
- Key Size:We recommend 2048 bits. 4096 bits is more secure, but it slows down TLS handshakes and increases processor load during handshakes.
- Common Name:Enter the FQDN or IP address ofPrivileged Access Managerfor the certificate request, such as or10.144.39.187. This field maps to the CN field of the X.509 certificate.
- Country:Enter the two-letter country code, such as US, FR, or JP. This field maps to C value of the X.509 certificate.
- State:Enter the optional State or Province, such as Illinois, or Quebec. This field maps to ST value of the X.509 certificate.
- City:Enter the optional locality or city designation, such as Paris or Islandia. This field maps to L value of the X.509 certificate.
- Organization:Enter the organization, typically a company, for the certificate, such as "Acme Technologies." This field maps to O value of the X.509 certificate.
- Org. Unit:Set the optional organizational unit name, typically a subdivision, or location of the Organization, such as "Security BU". This field maps to the OU value/Organizational Unit designation of the X.509 certificate.
- Days:Set the validity time-period. The current appliance date becomes the "Not Valid Before" date for the certificate. The "Days" field is then used to determine the "Not Valid After" date.
- Use Common Name for SAN:Because some browsers require a value in theAlternative Subject Namesfield, the Common Name is repeated there by default. To add more names in that field, clear this checkbox. The Common Name should still be repeated in theAlternative Subject Namesfield.
- Alternative Subject Names:Some browsers require a value in this field. If no value is specified, the Common Name is repeated here. If more than one address is used to access the appliance, list FQDN and IP address aliases to the Common Name, one per line. This list must include the Common Name. Do not add a newline (line feed) after the last entry. Refer to the X.509 Subject Alternative Name.For clusters (in internal test environments only):Add the FQDN and IP address for the VIP and every member of the cluster. Any hostname or short VIP name that is used to access the cluster should also be added.
- Filename:Create a name for the certificate.Include the creation or expiration date in the filename. For example, name itcapam_exp2019-07-19.
- SelectCreate.A confirmation message appears at the top of the page.
- Do the following steps to stage the certificate for use:
- On theSettab, select the filename of the certificate that you created previously. Thecrtextension is added to your filename.
- SelectVerifyto confirm that this certificate is acceptable byPrivileged Access Manager.
- SelectAcceptto switch to the new certificate.
- Reboot the appliance for the new certificate to take effect.
- Install the certificate as a trusted root certificate in a browser.
- When theSecurity Alertpop-up window appears, selectView Certificate.
- When theCertificatepop-up window appears, selectInstall Certificate.PAM Agents version 3.4 and later support connecting to a PAM server with an unexpired, untrusted certificate. If an older version of the PAM Agent cannot connect to the server to download the updates, replace that agent with a newer version.
- Select theYesbutton.
For related information, see the following topics
: