Obtain and Apply SSL Certificates for a Single-Server Production Environment
How to obtain and apply an SSL certificate for a single-server production environment.
3-4
This content describes how to obtain and apply SSL certificates from an in-house or third-party CA for a single-server production environment.
To obtain and install SSL certificates for a cluster, see Obtain and Apply SSL Certificates for a Production Cluster.
To create and install a self-signed SSL certificate for a small development environment, see Create a Self-Signed SSL Certificate for Use in a Testing Environment.
Video Overview
The following brief video provides a brief overview of this procedure.
Do the following procedures in order to obtain a certificate from a Certificate Authority (CA) and apply it your PAM server:
2
Request a Certificate from a Certificate Authority
To create a Certificate Signing Request (CSR) request for one appliance, follow these steps:
- On the Create tab of theCertificatespage, select theCSRoption forType. Enter information for the following fields. Do not use special characters.
- Key Size:We recommend 2048 bits. 4096 bits is more secure, but it slows down TLS handshakes and increases processor load during handshakes.
- Common Name:Enter the FQDN or IP address ofPrivileged Access Managerfor the certificate request, such aspam.ca.comor10.144.39.187. This field maps to the CN field of the X.509 certificate.
- For Clusters:Enter the FQDN of the cluster Virtual IP address.
- Country:Enter the two-letter country code, such as US, FR, or JP. This field maps to C value of the X.509 certificate.
- State:Enter the optional State or Province, such as Illinois, or Quebec. This field maps to ST value of the X.509 certificate.
- City:Enter the optional locality or city designation, such as Paris or Islandia. This field maps to L value of the X.509 certificate.
- Organization:Enter the organization, typically a company, for the certificate, such as "Acme Technologies." This field maps to O value of the X.509 certificate.
- Org. Unit:Enter the optional organizational unit name, typically a subdivision, or location of the Organization, such as "Security BU". This field maps to the OU value/Organizational Unit designation of the X.509 certificate.
- Days:Days are used only for self-signed certificates.
- Use Common Name for SAN:Because some browsers require a value in theAlternative Subject Namesfield, the Common Name is repeated there by default. To add more names in that field, clear this checkbox. The Common Name should still be repeated in theAlternative Subject Namesfield.
- Alternative Subject Names:Some browsers require a value in this field. If no value is specified, the Common Name is repeated here. If more than one address is used to access the appliance, list FQDN and IP address aliases to the Common Name, one per line. This list must include the Common Name. Do not add a newline (line feed) after the last entry. Refer to the X.509 Subject Alternative Name.
- For Clusters:Enter the FQDN and IP address for the VIP and every member of the cluster. Any hostname or short VIP name that is used to access the cluster should also be added.
- Filename:Create a name for the certificate. This file name is also the name of the private key that is generated. The name must exactly match the name of the certificate when uploaded.Include the creation or expiration date in the filename. For example, name itcapam_exp2019-07-19.
- SelectCreate.
- On theDownloadtab, select theFilenameof the CSR you created, which has a PEM (Privacy Enhanced Mail) extension.
- SelectDownload.Submit the downloaded PEM file to request a certificate from your CA. Users do not have to install root certificates because the third party validates the site.
- For clusters, remain on theDownloadtab to download the private key:
- On theDownloadtab, select the Private Key from theFilenamedrop-down list. It is under thePrivate Keysheading, with the same name as the CSR, but a KEY extension.
- Enter aPasswordandConfirm Passwordfor encrypting the private key. Record this password to use later when uploading certificates to cluster members.
- SelectDownload. Save thePrivate Keyto add it later to the received Certificate for the other cluster members.
- Obtain a new certificate using the downloaded CSR. Follow the instructions from your Certificate Authority to receive a certificate.
If the Certificate Authority provides all the required certificates and certificate revocation information in a single certificate file, follow the procedure that is described in Extract Required Certificates and CRLs from a Single SSL Certificate to extract them.
Upload the Third-Party Certificates and CRLs
Once you have the certificates and CRLs for their chain of trust, you upload them into the PAM server. You must upload them in the right order to avoid errors:
- Root certificate (as CA Bundle)
- Intermediate CRL
- Intermediate certificate
- Device CRL
- Device certificate
Upload the Root Certificate
- Go to theConfiguration,Security,Certificatespage. Select theUploadtab.
- SelectCA BundlesasType.
- ForOther Options, select the applicable format (X509 or PKCS) for the certificate.
- Select the root certificate by using theChoose Filebutton to find the certificateFilename.
- SelectUpload.You should receive a success message.
Upload the Intermediate CRL
- SelectCertificate Revocation ListasType.
- ForOther Options, select the applicable format (X509 or PKCS) for the CRL.
- Select the intermediate CRL by using theChoose Filebutton to find the intermediate CRLFilename.
- SelectUpload.You should receive a success message with details about the CRL source.
Upload the Intermediate Certificate
- SelectIntermediate CertificateasType.
- ForOther Options, select the applicable format (X509 or PKCS) for the certificate.
- Select the intermediate certificate by using theChoose Filebutton to find the intermediate certificateFilename.
- SelectUpload.You should receive a success message.
Upload the Device CRL
- SelectCertificate Revocation ListasType.
- ForOther Options, select the applicable format (X509 or PKCS) for the CRL.
- Select the device CRL by using theChoose Filebutton to find the device CRLFilename.
- SelectUpload.You should receive a success message with details about the CRL source.
Upload the Device Certificate
- If you generated the initial CSR on another appliance, you have to concatenate your private key with the certificate that you received. See Install Certificates in a Cluster for instructions. The resulting combination file would be uploaded asTypeofCertificate with Private Key.
- Otherwise, selectCertificateasType.
- ForOther Options, select the applicable format (X509 or PKCS) for the certificate.
- Select the device certificate by using theChoose Filebutton to find the certificateFilename.
- UseDestination Filenameto change the filename of the certificate. This field can be left blank if the name stays the same.IfPrivileged Access Managergenerated the CSR, the "Destination Filename" must match the name of the CSR to match the private key properly. Rename the certificate that is received from the third party if necessary, so that:
- Its base name is the same as the one that originally generated.
- Its extension is ".crt".For example, if the original PEM name was abc.pem, the uploaded file must be named abc.crt.
- If you are uploading a Certificate with a Private Key, enter thePassphrasethat you used to create the Key, then re-enter it inConfirm.
- SelectUpload.You should receive a success message.
Verify and Set the Certificates
Once all the required files have been uploaded, you inspect the files, verify them, and accept them. Once you accept the certificate chain, the appliance asks you to reboot. The certificate partially takes effect upon acceptance of the new certificate. We recommend applying certificates while the appliance is in maintenance mode, and to reboot the appliance before disabling maintenance mode.
Follow these steps:
- On theDownloadtab of theSecuritypage, select theFilenamefield and inspect the drop-down list of files.All the certificate and CRLs should be listed. Default files are also in the list.
- On theSet tab, select the certificate that was generated by the third-party CA.
- SelectVerifyto ensure thatPrivileged Access Manageraccepts the certificate.Either a confirmation phrase or error message is provided at the top of the page.A success message means that the entire certification chain is valid.
- After the verification, selectAcceptto apply the new certificate.The appliance asks you to reboot. The certificate does not take effect until the appliance is rebooted.
- To activate the new certificate, select theRebootbutton to rebootPrivileged Access Manager.
- After the reboot, logging in to thePAMserver should not present an invalid certificate icon or message.On theSettab of theConfiguration, Security, Certificatespage, theSystem Certificationfield shows the newly activated certificate name.
For related information, see the following topics
: