PAM and Server Certificate

book

Article ID: 130160

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

This article will guide you through the steps from generating CSR from PAM all the way to importing the Certificate issued by 3rd party CA.

Environment

Release:
Component: CAPAMX

Resolution

Use case is PAM generating CSR(Certificate Sign Request) and having a Trusted Certificate Authority to issue a Certificate.

 

PAM generating the CSR means:

  1. The Private Key is already stored in PAM
  2. You will get only the signed Certificate from the CA for import (no private key here)

Goto "Configuration - Security - Certificates" in PAM GUI and perform the following.

  1. Type: CSR
  2. Key Size: either 2048 or 4096.
  3. Common Name: use an easy name to identify this certificate. Usually DNS resolvable FQHN of your server.
  4. Country: Your desired country code, 2 characters. For example, "AU".
  5. Organization: Your desired value.
  6. Days: Typically 1 year to 2 years.
  7. Altenate Subject Names: Add all the DNS resolvable FQHNs or IP per each line that you will be using for your server. Modern browsers authenticate the server via "Subject Alternate Name" and not the "CN" value anymore. No empty line at the end!
  8. Filename: 1 alphanumeric word. No dots, no spaces and no special characters! No extension!


pam cert create csr

You will get a notification saying CSR was generated.


Navigate to "Download" tab and select "pam323.pem" from the dropdown list and click "DOWNLOAD".

pam cert download csr

! Note there is "pam323.key" file in the "Private Keys" section. This is the private key for pam323.

Save the file somewhere safe, it is saved as "pam323.pem".
The content would be in PEM(BASE64) format.


Send this over to the Certificate Authority and download the issued Certificate.


In this example, I am sending it to Microsoft Certificate Services.







It is common to receive a DER encoded(meaning the content is binary) instead of the PEM encoded(meaning BASE64 encoded… thus text content) certificate file. This is so that I can demonstrate converting the certificate encoding format later.

Default filename given was certnew.cer and I will just download as is in DER format.



You should download the Certificate Chain as well.

In this example, my Certificate Authority is not a publicly trusted CA so I will need to import the Certificate Chain(Issuer and all the SubOrdinate CA certificates).



Once you downloaded this certnew.p7b, double click on it.


It is a certificate container and you can find your server certificate as well as the CA certificate.

You may find more  certificates in case if there are subOrdinate CA.
Download all CA and subOrdinate CA certificates.

For example, if you check certificate for www.msn.com the certificate shows it has a subordinate CA.

pam msn chain sample
 

Back to the certificate container, you can double click on each certificate in this container.
Then navigate to "Details" tab.
Click on the "Copy to File…" button and save as Base-64 encoded format(which is PEM).



pam cert ca convert1

I saved it as "TEST-ROOT-CA.cer".


Now double click on the server certificate you downloaded(the certnew.cer, the one in the certificate container is also the same thing, you can double click on that too)



Same thing here, goto "Details" tab and  click on "Copy to File…".

Note the Issuer and the Subject.

Also the Subject Alternateive Name having the 3 FQHN that was in the CSR.




Save it in Base-64 format.


pam cert convert3

Now you have the CA certificate(and depending on your CA there might be additional subOrdinate CA certificates) downloaded and saved in PEM format.

Server certificate is also downloaded and saved in PEM format matching the CSR filename (not the extension).


You can now upload these certificates to PAM.

You should upload from ROOT CA Certificate down the order of subOrdinate CA certificates.


Navigate to "Config - Security - Certificate - Upload" and perform the following.

  1. Type: CA Bundles
  2. Other Options: X509
  3. Filename: TEST-ROOT-CA.cer
  4. Destination Filename: test-root-ca
  5. UPLOAD


pam ca upload1

You will get a notification that it was successfully uploaded.


pam ca upload2

Repeat this step until you have imported all the CA and Subordinate CA certificates.



You can verify that it was imported into the correct section by going to "Download" tab and from the dropdown list.



Next, import the  server certificate.

 

Go back to "Upload" tab and perform the following:

  1. Type: Certificate
  2. Other Options: X509
  3. Filename: pam323.cer
  4. Destination Filename: pam323
  5. UPLOAD


The "Destination Filename" IS VERY IMPORTANT and you must have it match the private key filename(do not specify the extension, PAM will add it for you)!


pam cert upload

You should get a notification.


pam cert upload2

Now you can verify the certificate is imported correctly.


pam cert upload3
 

Attachments