How to Generate CSR from PAM UI and Install Certificates to a Cluster

As an administrator, you request a certificate from a third party to secure communication with your Privileged Access Manager server. For productions environments, you request a certificate from a third party. You can also Create a Self-Signed Certificate for testing environments. Generating a Certificate Signing Request (CSR) requires more steps and might involve a cost. A CSR is ordinarily used when organization policy requires it. 

Prerequisites

  • Change login time-out to 0
    • Navigate to Settings, Global Settings. 
    • Under the Basic Settings tab, in the Login Timeout (Minutes) field change the value to 0 

Installation Tasks and Steps

Task 1 – Create a Certificate Signing Request (CSR) 

Follow these steps:

  1. On the Create tab of the Certificates page, select the CSR option for Type. Enter information for the following fields. Do not use special characters.
    • Key Size: We recommend 2048 bits. 4096 bits is more secure, but it slows down TLS handshakes and increases processor load during handshakes.
    • Common Name: Enter the FQDN of the cluster Virtual IP address, such as pam.ca.com. This field maps to the CN field of the X.509 certificate.
    • Country: Enter the two-letter country code, such as US, FR, or JP. This field maps to C value of the X.509 certificate.
    • State: Enter the optional State or Province, such as Illinois, or Quebec. This field maps to ST value of the X.509 certificate.
    • City: Enter the optional locality or city designation, such as Paris or Islandia. This field maps to L value of the X.509 certificate.
    • Organization: Enter the organization, typically a company, for the certificate, such as “Acme Technologies.” This field maps to O value of the X.509 certificate. 
    • Org. Unit: Enter the optional organizational unit name, typically a subdivision, or location of the Organization, such as “Security BU”. This field maps to OU value/Organizational Unit designation of the X.509 certificate. 
    • Days: Days are used only for self-signed certificates.
    • Alternate Subject Names: Enter the FQDN and IP address for the VIP and every member of the cluster. Any hostname or short VIP name that is used to access the cluster should also be added. Each FQDN, IP address, or alias should be on its own line. This list must include the Common Name. Do not add a newline (line feed) after the last entry. Refer to the X.509 Subject Alternative Name. 
    • Filename: Create a name for the certificate. This file name is also the name of the private key that is generated. The name must exactly match the name of the certificate when uploaded.
  2. Select Create

  3. Next, go to the Download tab and select the filename of the CSR you have just created, which has the PEM (Privacy Enhanced Mail) extension. It will be under the header “CSR” in the drop-down list
  4. Select Download. This is the file that will be used to request a certificate from a Certificate Authority (CA)
  5. Next, while still on the Download tab, select the Private Key from the drop-down list under the Private Key heading. It will have the same name as the CSR that was just created but with a KEY extension

  6. Enter a Password and Confirm Password for encrypting the private key. Record this password for later use.
  7. Select Download to download the Private Key. Save the private key on your system, it will be added to the received Certificate from the CA

Task 3 – Concatenate the certificate with the Private Key

  1. Once you have received the certificate from the CA, open that file in a text editor like Notepad++
  2. Find the private key that you save on your system earlier and open that in a text editor as well.
  3. Start a new text file, copy all of the file contents from the certificate file and paste that into the new file and copy all of the contents of the private key and paste that into the new file as well. 
  4. Save this new file and give it the same name you used when generating the CSR.
    Note: If you are attempting to upload an RSA Certificate be sure to edit the file in the text editor and add “RSA” to the header and footer of the private key section.

Task 2 – Upload the Device Certificate

  1. Select Certificate with Private Key as Type. 
  2. For Other Options, select the applicable format (X509 or PKCS) for the certificate.
  3. Select the device certificate by using the Choose File button to find the certificate Filename of the new file you created with the certificate and the private key. 
  4. Use Destination Filename to change the filename of the certificate. This field can be left blank if the name stays the same.
  5. If Privileged Access Manager generated the CSR, the “Destination Filename” must match the name of the CSR to match the private key properly. Rename the certificate that is received from the third party if necessary, so that:
    1. Its base name is the same as the one that originally generated.
    2. Its extension is “.crt”. For example, if the original PEM name was abc.pem, the uploaded file must be named abc.crt.
  6. Enter the Passphrase that you used to create the Key, then re-enter it in Confirm. The Certificate with Private Key requires the password that you created when downloading the Key. 
  7. Select Upload.
  8. You should receive a success message.

Task 3 – Verify and Set the Certificate

Follow these Steps:

  1. On the Download tab of the Security page, select the Filename field and inspect the drop-down list of files. Your new certificate should be listed. Default files are also in the list. 
  2. On the Set tab, select the certificate file that you created with the private key.
  3. Select Verify to ensure that Privileged Access Manager accepts the certificate. Either a confirmation or an error message is provided at the top of the page. A success message means that the entire certification chain is valid.

  4. After the verification, select Accept to apply the new certificate. The appliance asks you to reboot. The certificate does not take effect until the appliance is rebooted.
  5. To activate the new certificate, select the Reboot button to reboot Privileged Access Manager.
  6. After the reboot, logging in to the PAM server should not present an invalid certificate icon or message. On the Set tab of the Configuration, Security, Certificates page, the System Certification field shows the newly activated certificate name. 
  7. Repeat this procedure on each cluster member.
  8. Once all the cluster members have rebooted, and you have confirmed the certificate name, turn on the cluster. Go to Configuration, Clustering, Status, Turn Cluster On.

Looking for additional help with generating CSR from the PAM UI? ISX is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including PAM. Take your interoperability to the next level, and contact an ISX consultant today.

ISXHow to Generate CSR from PAM UI and Install Certificates to a Cluster

Leave a Reply

Your email address will not be published. Required fields are marked *