Obtain and Apply SSL Certificates for a Production Cluster

How to request an SSL certificate from a Certificate Authority (CA) and apply it to all the nodes in your cluster.
3-4
This content describes how to obtain and apply SSL certificates from an in-house or third-party CA for a production cluster.
To obtain and install SSL certificates for a single-server production environment, see Obtain and Apply SSL Certificates for a Single-Server Production Environment.
To create and install a self-signed SSL certificate for a small development environment, see  Create a Self-Signed SSL Certificate for Use in a Testing Environment.
To secure communication between PAM servers and user sessions in a clustered environment, each node in the cluster requires the
same
SSL certificate that contains the FQDN and IP address of the VIP and every member of the cluster.
You do
not
need to stop the cluster to install certificates; install them one node at a time with the cluster up.
Do the following procedures in order to obtain a certificate from a Certificate Authority (CA) and apply it to all the nodes in your cluster:
2
Create a Certificate Signing Request (CSR) and Send it to the CA
Designate any node in the Primary Site
other than the master
as the
CSR Originator
for the whole cluster and create the CSR from that server.
Follow this procedure on the CSR Originator:
  1. On the
    Create
    tab of the
    Certificates
    page, select the
    CSR
    option for
    Type
    . Enter information for the following fields. Do not use special characters.
    • Key Size:
      We recommend 2048 bits. 4096 bits is more secure, but it slows down TLS handshakes and increases processor load during handshakes.
    • Common Name:
      Enter the FQDN of the cluster Virtual IP address, such as
      pam.ca.com
      . This field maps to the CN field of the X.509 certificate.
    • Country:
      Enter the two-letter country code, such as US, FR, or JP. This field maps to C value of the X.509 certificate.
    • State:
      Enter the optional State or Province, such as Illinois, or Quebec. This field maps to ST value of the X.509 certificate.
    • City:
      Enter the optional locality or city designation, such as Paris or Islandia. This field maps to L value of the X.509 certificate.
    • Organization:
      Enter the organization, typically a company, for the certificate, such as "Acme Technologies." This field maps to O value of the X.509 certificate.
    • Org. Unit:
      Enter the optional organizational unit name, typically a subdivision, or location of the Organization, such as "Security BU". This field maps to the OU value/Organizational Unit designation of the X.509 certificate.
    • Days:
      Days are used only for self-signed certificates.
    • Alternate Subject Names:
      Enter the FQDN and IP address for the VIP and every member of the cluster. Any hostname or short VIP name that is used to access the cluster should also be added. Each FQDN, IP address, or alias should be on its own line. This list must include the
      Common Name
      . Do not add a newline (line feed) after the last entry. Refer to the X.509 Subject Alternative Name.
    • Filename:
      Create a name for the certificate. This file name is also the name of the private key that is generated. The name must exactly match the name of the certificate when uploaded.
      Include the creation or expiration date in the filename. For example, name it
      PAM-Cluster_exp2019-07-19
      .
  2. Select
    Create
    .
  3. On the
    Download
    tab, select the filename of the CSR you created, which has a PEM (Privacy Enhanced Mail) extension.
  4. Select
    Download
    . Use this file to request a certificate from a Certificate Authority (CA) such as Entrust. Users do not have to install root certificates because the third party validates the site.
  5. Select the Private Key (which has the same name as the CSR, but a .key extension) from the filename drop-down list. It is under the
    Private Keys
    heading,
  6. Enter a
    Password
    and
    Confirm Password
    for encrypting the private key. Record this password for later use.
  7. Select
    Download
    . Save the
    Private Key
    to add it later to the received Certificate for the other cluster members.
  8. Follow the instructions provided by your CA to request the certificates using the downloaded CSR.
If the Certificate Authority provides all the required certificates and certificate revocation information in a single certificate file, follow the procedure described in Extract Required Certificates and CRLs from a Single SSL Certificate to extract them.
Upload and Apply the Third-Party Certificates on the CSR Originator
Once you have the certificates and CRLs for their chain of trust, upload and apply them on the primary site node where you generated the CSR.
Upload the certificates in the following order to avoid errors
:
  1. Upload the Root Certificate
    :
    1. Go to the
      Configuration
      ,
      Security
      ,
      Certificates
      page. Select the
      Upload
      tab.
    2. Select
      CA Bundles
      as
      Type
      .
    3. For
      Other Options
      , select the applicable format (X509 or PKCS) for the certificate.
    4. Select the root certificate by using the
      Choose File
      button to find the certificate filename.
    5. Select
      Upload
      .
      If the operation completed, a success message appears at the top of the screen.
  2. Upload the Intermediate CRL
    :
    1. Select
      Certificate Revocation List
      as
      Type
      .
    2. For
      Other Options
      , select the applicable format (X509 or PKCS) for the CRL.
    3. Select the intermediate CRL by using the
      Choose File
      button to find the intermediate CRL filename.
    4. Select
      Upload
      .
      If the operation was successful, a message appears at the top of the screen with details about the CRL source.
  3. Upload the Intermediate Certificate
    :
    1. Select
      Intermediate Certificate
      as the
      Type
      .
    2. For
      Other Options
      , select the applicable format (X509 or PKCS) for the certificate.
    3. Select the intermediate certificate by using the
      Choose File
      button to find the intermediate certificate filename.
    4. Select
      Upload
      .
      If the operation was successful, a message appears at the top of the screen with details about the intermediate certificate.
  4. Upload the Device CRL
    :
    1. Select
      Certificate Revocation List
      as
      Type
      .
    2. For
      Other Options
      , select the applicable format (X509 or PKCS) for the CRL.
    3. Select the device CRL by using the
      Choose File
      button to find the device CRL filename.
    4. Select
      Upload
      .
      If the operation was successful, a message appears at the top of the screen with details about the CRL source.
  5. Upload the Device Certificate
    :
    1. Select
      Certificate
      as
      Type
      .
    2. For
      Other Options
      , select the applicable format (X509 or PKCS) for the certificate.
    3. Select the device certificate by using the
      Choose File
      button to find the certificate filename.
    4. Use
      Destination Filename
      to change the filename of the certificate. This field can be left blank if the name stays the same.
      If
      Privileged Access Manager
      generated the CSR, the "Destination Filename" must match the name of the CSR to match the private key properly. Rename the certificate that is received from the third party if necessary, so that:
      1. Its base name is the same as the one that originally generated.
      2. Its extension is ".crt".
        For example, if the original PEM name was abc.pem, the uploaded file must be named abc.crt.
    5. If you are uploading a Certificate with a Private Key, enter the
      Passphrase
      that you used to create the Key, then re-enter it in
      Confirm
      .
    6. Select
      Upload
      .
      If the operation completed, a success message appears at the top of the screen.
    7. Select
      Verify
      to ensure that
      Privileged Access Manager
      accepts the certificate.
      Either a confirmation or an error message is provided at the top of the page.
    8. Do
      not
      accept the certificates until all the cluster members have uploaded their certificates. Setting the accepted certificates requires a reboot. Wait until you complete the next procedure for other cluster members before turning off the cluster and accepting certificates on each member.
Verify and Apply the Certificates on the CSR Originator
Do the following procedure on the primary site node where you generated the CSR to verify and apply the certificates.
Follow these steps:
Follow these steps
:
  1. Turn on Maintenance Mode to prevent new logins:
    1. Navigate to
      Configuration, Diagnostic, System
      .
    2. Set the
      Maintenance Mode
      option to
      On
      .
    3. (Optional) Monitor the server until all user sessions have ended to avoid abruptly terminating any active user sessions by stopping PAM prematurely.
  2. Navigate to the
    Configuration
    ,
    Certificates
    screen and select the
    Download
    tab.
  3. Select the
    Filename
    field and inspect the drop-down list of files. All the certificate and CRLs should be listed. Default files are also in the list.
  4. On the
    Set
    tab, select the certificate that was generated by the third-party CA.
  5. Select
    Verify
    to ensure that Privileged Access Manager accepts the certificate. Either a confirmation or an error message is provided at the top of the page. A success message means that the entire certification chain is valid.
  6. After verification, select
    Accept
    to apply the new certificate. A dialog appears stating that the system certificate has been changed and asking you to "stop the cluster and reboot the appliance to make the new certificate take effect." However, to maintain availability in a production environment,
    you can proceed without stopping the cluster.
      Select the
    OK
    button to dismiss the dialog. Do
    not stop
    the cluster.
  7. Do the following steps to activate the new certificate by rebooting the server:
    1. Navigate to
      Configuration
      ,
      Power
      .
    2. The
      Power
      screen displays a "Cluster Warning" stating that the PAM cluster must be turned off before powering down or rebooting any cluster member. However, since the cluster does not have to be stopped to install certificates, select the option acknowledging that you have read that guidance as shown in the following screen capture:
    3. Select the
      Reboot Instance
      button. The server reboots.
  8. After the reboot, do the following steps to verify that the certificate was installed correctly:
    1. Log in to the PAM server. The PAM UI should not present an invalid certificate icon or message.
    2. Navigate to the
      Set
      tab of the
      Configuration, Security, Certificates
      screen and verify that the
      System Certification
      field shows the newly activated certificate name.
Prepare a Certificate File for Other Nodes
The certificate that is provided by the CA is only valid on the CSR Originator. For other nodes, you require a file that includes the contents of the following files that are located on the originating node:
  • The private key (.key) file generated when creating the CSR.
  • The certificate (.crt) file that is provided by the CA in response to the CSR.
The resulting privacy enhanced mail (.pem) file is valid for all other cluster nodes.
To combine (concatenate) the files, enter one of the following commands at a command prompt on the node where you generated the CSR:
  • Linux
    :
    cat
    private_key_file
    .key
    certificate_file
    .crt >
    combined_pem_file
    .pem
  • Windows
    :
    type
    private_key_file
    .key
    certificate_file
    .crt >
    combined_pem_file
    .pem
The contents of the resulting .pem file should resemble the following example:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,58B125ACF0792928BA28D7BC53901D86 FiR1gSddsYYDVQ7CCI0/gqC7L1mzct8GnzhmQ+47CNXkoosE4B3EWG25o3S/skaF QUAF8hdMHo0GapDpPyAspAjfUa2+ZPrKeRbISYyn4JIn3wKduhfqziJR2vzZwQFL l+cKhCv3aSKh+3/ZqR5+puDWjbgfpsR5F9XPjjqKJLrdmt3qxaSjzkoQNLi7Xfpr So35vADIJt9nP0jJ3tGAtVThMR1yaJaG1B71GkqShJ+X7o0np/Y7V14EXaV6WTrA uRia8YETRDlBcFBxj7VEfYiI+/1x4qx1CglWAJz4oL1mplEglWX/q8EeTz0TXduY ADrtffYGhjzoSOjWZjLKSa3zAYo0dLgKpiToNNm2JGipHMg8jnmtg9di52AOwqwr 266oqOaRnQ5OShpJOyxpwMpgbbalSekdZzdhFiWaQCg58coQnm6kSdPGwROp3g+L l0HWKoQJMVsHjZn5hn7YepD0x01aiiKCxxKkziYtY4jdbQaNOm2FmTz1xrt2AsRH OAYgXfbKOM2FfGHAfMsWR++edch77+sc4uY+1B/NuB/gvHKtADwIGC7BLlEtaQEF aRp1P5Nu1JEXlEVfAHjv36IOUsVDpnM9jHs981G8oBefWS/Ca6QVE6hPPlaTd8i1 JuAFo8jsxT18OWIU6K/J2d53WD2zqDpIhuo5SwQQFSyKUo1e0dArpYVxpuPFHXxT uhZgxN+pKG9KYMjtvkUqpD1rS7eXqwoK2buR2Z9LUGZ7uFFZzF5+41w+/GlSkmF9 ND+YdIlrxdni+MnGyuRdJVWjR9rM6Z2ob7/FoXqeCOwAoJCyzucWWcHH+2oItBf6 TwmcdEfVq7dEoJdu9QdgrYR2oEDm22DTbEqSDCbT+J+GNAYlUPWTHjugJ2vjwW4D 6VGQhXa5Hiipmz4FmR43gV1EKUGvSAtXHyLznp/BDHm9KdoagBINUk3U130hMOPw 3Me91epgruKLHUMs07CCqHbkkgldDNCAKWlPpgQFXhqEH9dnfAbWZROxN2ekms66 RzB7+/QsGHKN7E7Z5CiUp7snKs+6NNgRdJeWbDZtmXJiAH/j4CKNNwIhYOaPN4Ox hS6ySqkZpm5NKNmDh21KM6VZsq2JU/jnXPfSqqqvuRFKgUDHvW7YvzwcG8h9ZQXu fo3wz1z8p0ukpBro2MIPZIhfdZZCcmlFPzpvlPeCvtyhaHLJs4AIvWV7cxhWNsyb KxCM9KASv4+5zNgqS2sPOIiu+QMFvobkkHliTowPHLBefattET0+ljQWivBW4B/4 j9wgrxTpTQ5Kv2MfX5AhLXdCAhYWL5OyxsrXQY5MkcNuXY+AIAUMVt/HSaQsjYLD v5R830SnhyeeJy7lHaBjNyF8DqwhtMrEuDVkSGRyynEaUTK2uqUalLZUZSvPrZc4 +g3zW9ppjCbqoBLorwK4q9G2j3LaHoXysnxjgCWt41GHELbAEnphb4zahU+d+Mj2 LlwJprw0adcLsw/p6ck0/IySLGJtjum4qRfQQPnD6pZQ+WjkyFZJqVDm8San01ie dJ6yBQlPJAspJLQNHHtG6TCZUcO93agKNd8T3RfbMygl0xVtWvOIYk5FeWz7YqIi -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIFqTCCA5GgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAweTELMAkGA1UEBhMCVVMx CzAJBgNVBAgMAk5ZMREwDwYDVQQKDAhDQSwgSW5jLjEnMCUGA1UECwweQ0EsIElu Yy4gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSEwHwYDVQQDDBhDQSwgSW5jLiBJbnRl cm1lZGlhdGUgQ0EwHhcNMTgwNjI4MjAwMzA0WhcNMTkwNzA4MjAwMzA0WjBiMQsw CQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxDjAMBgNVBAcMBUxpc2xlMRgw FgYDVQQKDA9DQSBUZWNobm9sb2dpZXMxFjAUBgNVBAMMDTEwLjI0Mi4zOS4xNzMw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCNmnC1HMr6WQN84dSk7+2 WFzA+FPtlWADKGs1Kz/wdc4kyVEvhzEV6u2CwndY6ORWioTkcerLnUmJ1/wQ8ojO qHMvClGcTT0Uic7sNtKGoh/wYDK/x6N8Gtj8TWDZ9YOb/UYG4OHe2vvdp+esB29W zls+49+bwdSm//9NO6B72c/DGv80J9KIhUW1JK+B1nHlztivnxWJezLq6NiP9jQ+ xFNv8MECsY9cVhmIJMT5cluc5cojFcFY2+5aQzIRwrcux61t2L/CwHF5tQlhtbN3 JnjcdGt1XhEd2cz24T00tQGbxElA4z4/rNC25CrF6TIxoiFe68cqFnA0XEuK6qHv AgMBAAGjggFQMIIBTDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglg hkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRl MB0GA1UdDgQWBBRamPBYA2gE++tvcLcmK+2H0lLQATCBsgYDVR0jBIGqMIGngBR0 SZjZFHL//vqS70zxAak6X4dxlKGBiqSBhzCBhDELMAkGA1UEBhMCVVMxCzAJBgNV BAgMAk5ZMREwDwYDVQQHDAhJc2xhbmRpYTERMA8GA1UECgwIQ0EsIEluYy4xJzAl BgNVBAsMHkNBLCBJbmMuIENlcnRpZmljYXRlIEF1dGhvcml0eTEZMBcGA1UEAwwQ Q0EsIEluYy4gUm9vdCBDQYICEAAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG CCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQBl0cR5k7fBrF+kTU5YE8Lc48aX pQ9ybax2chJLfSdHUS1G+qldTatPhWqrKZsCYX7RA07+BB8VBxPie05eIL/azGrD Pdy7tzMm0iGm68uBe7lZW/3itXv2K1SNUEMdHTy787K+2/g8GqXC7Pdf6Nc1rIyl 98nqAPUgAUhBrgCBht1yj+OQpLFll6No/7o81gSkujCRxICW/fDBqRZd7HZ8WZjg m2zfbbZhpaay2leaVdKEOXzQNaexYGF4U9II/00JuBzAS0eoszNVbuwHWP+yzPdL Vg3Xtt4EasEV6/0izqsTpyCh9rnBVF1AFVOFWYAe+HPmJju8Vejzt7VU0EST7pA8 Okc9MUoRIyfO3g8qO7uC9DM+026ymxWat6dNy8tepkALrx12xI/oqD8zqT3BxA5R tISVCcszTdfdmAf+4DKlEbaqeUIDG8uIuBH8kR/oX7LrLZotWLl7piuqpvK3pcrB fizdZ6/+FR5GwhOYT+VdZS0FuoVrTVE6iwm+oPO0Gu35pFhKYshV/c2Hnf5NvMPY 0XU7vV5wlG+LbY5Z8u2ziOEiTg+9+uNrA/ryt8MG9Q/svHlOf2C8azUeY6Ykl3mC te7V+qAJ/ZACWhOlp/ycy8mgGIYbyuzHXKQfaJbgmR0ygaEaeoPaQp6pXycjlpSM O2zmSDDfvuQcWjhR4g== -----END CERTIFICATE-----
Apply the Certificates to All Other Cluster Nodes
Follow these steps on every cluster member other than the CSR creator.
Upload the certificate files in the specified order.  Failure to do so causes errors.
Follow these steps to upload the certificates in the correct order:
  1. Upload the Root Certificate
    :
    1. Go to the
      Configuration
      ,
      Security
      ,
      Certificates
      page. Select the
      Upload
      tab.
    2. Select
      CA Bundles
      as
      Type
      .
    3. For
      Other Options
      , select the applicable format (X509 or PKCS) for the certificate.
    4. Select the root certificate by using the
      Choose File
      button to find the certificate filename.
    5. Select
      Upload
      .
      If the operation completed, a success message appears at the top of the screen.
  2. Upload the Intermediate CRL
    :
    1. Select
      Certificate Revocation List
      as
      Type
      .
    2. For
      Other Options
      , select the applicable format (X509 or PKCS) for the CRL.
    3. Select the intermediate CRL by using the
      Choose File
      button to find the intermediate CRL filename.
    4. Select
      Upload
      .
      If the operation was successful, a message appears at the top of the screen with details about the CRL source.
  3. Upload the Intermediate Certificate
    :
    1. Go to the
      Configuration
      ,
      Security
      ,
      Certificates
      page. Select the
      Upload
      tab.
    2. Select
      CA Bundles
      as
      Type
      .
    3. For
      Other Options
      , select the applicable format (X509 or PKCS) for the certificate.
    4. Select the root certificate by using the
      Choose File
      button to find the certificate filename.
    5. Select
      Upload
      .
      If the operation completed, a success message appears at the top of the screen.
  4. Upload the Device CRL:
    1. Select
      Certificate Revocation List
      as
      Type
      .
    2. For
      Other Options
      , select the applicable format (X509 or PKCS) for the CRL.
    3. Select the device CRL by using the
      Choose File
      button to find the device CRL filename.
    4. Select
      Upload
      .
      If the operation was successful, a message appears at the top of the screen with details about the CRL source.
  5. Upload the Device Certificate with Private Key:
    1. Select
      Certificate with Private Key
      as
      Type
      .
    2. For
      Other Options
      , select the applicable format (X509 or PKCS) for the certificate.
    3. Select the device certificate by using the
      Choose File
      button to find the certificate filename.
    4. Use
      Destination Filename
      to change the filename of the certificate. This field can be left blank if the name stays the same.
      1. Its base name is the same as the one that originally generated.
      2. Its extension is ".crt".
        For example, if the original PEM name was abc.pem, the uploaded file must be named abc.crt.
    5. Enter the
      Passphrase
      that you used to create the Key, then re-enter it in
      Confirm
      . The Certificate with Private Key requires the password that you created when downloading the Key.
    6. Select
      Upload
      .
      If the operation completed, a success message appears at the top of the screen.
Verify and Apply the Certificates on the Other Nodes in the Cluster
:
Once all the required files have been uploaded, inspect the files, verify them, and accept them. Once you accept the certificate chain, the appliance asks you to reboot. The certificate does not take effect until the appliance is rebooted.
Follow these steps on every other node in the cluster, completing all steps before starting on the next node:
  1. Turn on Maintenance Mode to prevent new logins:
    1. Navigate to
      Configuration, Diagnostic, System
      .
    2. Set the
      Maintenance Mode
      option to
      On
      .
    3. (Optional) Monitor the server until all user sessions have ended to avoid abruptly terminating any active user sessions by stopping PAM prematurely.
  2. Navigate to the
    Configuration
    ,
    Certificates
    screen and select the
    Download
    tab.
  3. Select the
    Filename
    field and inspect the drop-down list of files. All the certificate and CRLs should be listed. Default files are also in the list.
  4. On the
    Set
    tab, select the certificate that was generated by the third-party CA.
  5. Select
    Verify
    to ensure that Privileged Access Manager accepts the certificate. Either a confirmation or an error message is provided at the top of the page. A success message means that the entire certification chain is valid.
  6. After verification, select
    Accept
    to apply the new certificate. A dialog appears stating that the system certificate has been changed and asking you to "stop the cluster and reboot the appliance to make the new certificate take effect." However, to maintain availability in a production environment,
    you can proceed without stopping the cluster.
      Select the
    OK
    button to dismiss the dialog. Do
    not stop
    the cluster.
  7. Do the following steps to activate the new certificate by rebooting the server:
    1. Navigate to
      Configuration
      ,
      Power
      .
    2. The
      Power
      screen displays a "Cluster Warning" stating that the PAM cluster must be turned off before powering down or rebooting any cluster member. However, since you do not have to stop the cluster to install certificates, select the option acknowledging that you have read that guidance as shown in the following screen capture:
    3. Select the
      Reboot Instance
      button. The server reboots.
  8. After the reboot, do the following steps to verify that the certificate was installed correctly:
    1. Log in to the PAM server. The PAM UI should not present an invalid certificate icon or message.
    2. Navigate to the
      Set
      tab of the
      Configuration, Security, Certificates
      screen and verify that the
      System Certification
      field shows the newly activated certificate name.