Create a Self-Signed SSL Certificate for Use in a Testing Environment

How to create a self-signed SSL certificate for use in testing environments.
3-4
As an administrator, you can create a self-signed SSL certificate, which is recommended as the minimal requirement to prevent security risk. This option is available at no cost, and useful for testing environments.
To obtain and install an SSL certificate for a single-server production environment, see  Obtain and Apply SSL Certificates for a Single-Server Production Environment.
To obtain and install an SSL certificate for a clustered production environment, see Obtain and Apply SSL Certificates for a Production Cluster.
For production environments, Secure Connections Using SSL CertificatesGenerating a Certificate Signing Request (CSR) requires more steps and might involve a cost. A CSR is ordinarily used when organization policy requires it. To generate a CSR and certificates for a cluster, see Obtain and Apply SSL Certificates for a Production Cluster.

Video Overview

This short video provides an overview of the procedure to create a self-signed certificate.

Create the Self-Signed Certificate

Use this procedure to create a self-signed certificate.
Follow these steps:
  1. in the PAM UI, navigate to
    Configuration
    ,
    Security
    ,
    Certificates
    page.
    Stay on the
    Create
    tab which opens by default.
  2. Select the
    Self-Signed Certificate
    option for
    Type
    .
  3. Enter information in the following fields. Only the fields with a red asterisk are required. Do not use special characters.
    • Key Size:
      We recommend 2048 bits. 4096 bits is more secure, but it slows down TLS handshakes and increases processor load during handshakes.
    • Common Name:
      Enter the FQDN or IP address of
      Privileged Access Manager
      for the certificate request, such as or
      10.144.39.187
      . This field maps to the CN field of the X.509 certificate.
    • Country:
      Enter the two-letter country code, such as US, FR, or JP. This field maps to C value of the X.509 certificate.
    • State:
      Enter the optional State or Province, such as Illinois, or Quebec. This field maps to ST value of the X.509 certificate.
    • City:
      Enter the optional locality or city designation, such as Paris or Islandia. This field maps to L value of the X.509 certificate.
    • Organization:
      Enter the organization, typically a company, for the certificate, such as "Acme Technologies." This field maps to O value of the X.509 certificate.
    • Org. Unit:
      Set the optional organizational unit name, typically a subdivision, or location of the Organization, such as "Security BU". This field maps to the OU value/Organizational Unit designation of the X.509 certificate.
    • Days:
      Set the validity time-period. The current appliance date becomes the "Not Valid Before" date for the certificate. The "Days" field is then used to determine the "Not Valid After" date.
    • Use Common Name for SAN:
      Because some browsers require a value in the
      Alternative Subject Names
      field, the Common Name is repeated there by default. To add more names in that field, clear this checkbox. The Common Name should still be repeated in the
      Alternative Subject Names
      field.
    • Alternative Subject Names:
      Some browsers require a value in this field. If no value is specified, the Common Name is repeated here. If more than one address is used to access the appliance, list FQDN and IP address aliases to the Common Name, one per line. This list must include the Common Name. Do not add a newline (line feed) after the last entry. Refer to the X.509 Subject Alternative Name.
      For clusters (in internal test environments only):
       Add the FQDN and IP address for the VIP and every member of the cluster. Any hostname or short VIP name that is used to access the cluster should also be added.
    • Filename:
      Create a name for the certificate.
      Include the creation or expiration date in the filename. For example, name it
      capam_exp2019-07-19
      .
  4. Select
    Create
    .
    A confirmation message appears at the top of the page.
  5. Do the following steps to stage the certificate for use:
    1. On the
      Set
      tab, select the filename of the certificate that you created previously. The
      crt
      extension is added to your filename.
    2. Select
      Verify
      to confirm that this certificate is acceptable by
      Privileged Access Manager
      .
    3. Select
      Accept
      to switch to the new certificate.
    4. Reboot the appliance for the new certificate to take effect.
    5. Install the certificate as a trusted root certificate in a browser.
    6. When the
      Security Alert
      pop-up window appears, select
      View Certificate
      .
    7. When the
      Certificate
      pop-up window appears, select
      Install Certificate
      .
      PAM Agents version 3.4 and later support connecting to a PAM server with an unexpired, untrusted certificate. If an older version of the PAM Agent cannot connect to the server to download the updates, replace that agent with a newer version.
    8. Select the
      Yes
      button.