This article will guide you through the steps from generating CSR (Certificate Signing Request) from PAM all the way to importing the Certificate issued by 3rd party CA.
Use case is PAM generating CSR(Certificate Sign Request) and having a Trusted Certificate Authority to issue a Certificate.
PAM generating the CSR means:
Goto "Configuration - Security - Certificates" in PAM GUI and perform the following.
You will get a notification saying CSR was generated.
Navigate to "Download" tab and select "pam323.pem" from the dropdown list and click "DOWNLOAD".
! Note there is "pam323.key" file in the "Private Keys" section. This is the private key for pam323.
Save the file somewhere safe, it is saved as "pam323.pem".
The content would be in PEM(BASE64) format.
Send this over to the Certificate Authority and download the issued Certificate.
In this example, I am sending it to Microsoft Certificate Services.
It is common to receive a DER encoded(meaning the content is binary) instead of the PEM encoded(meaning BASE64 encoded… thus text content) certificate file. This is so that I can demonstrate converting the certificate encoding format later.
Default filename given was certnew.cer and I will just download as is in DER format.
You should download the Certificate Chain as well.
In this example, my Certificate Authority is not a publicly trusted CA so I will need to import the Certificate Chain(Issuer and all the SubOrdinate CA certificates).
Once you downloaded this certnew.p7b, double click on it.
It is a certificate container and you can find your server certificate as well as the CA certificate.
You may find more certificates in case if there are subOrdinate CA.
Download all CA and subOrdinate CA certificates.
For example, if you check certificate for www.msn.com the certificate shows it has a subordinate CA.
Back to the certificate container, you can double click on each certificate in this container.
Then navigate to "Details" tab.
Click on the "Copy to File…" button and save as Base-64 encoded format(which is PEM).
I saved it as "TEST-ROOT-CA.cer".
Now double click on the server certificate you downloaded(the certnew.cer, the one in the certificate container is also the same thing, you can double click on that too)
Same thing here, goto "Details" tab and click on "Copy to File…".
Note the Issuer and the Subject.
Also the Subject Alternateive Name having the 3 FQHN that was in the CSR.
Save it in Base-64 format.
Now you have the CA certificate(and depending on your CA there might be additional subOrdinate CA certificates) downloaded and saved in PEM format.
Server certificate is also downloaded and saved in PEM format matching the CSR filename (not the extension).
You can now upload these certificates to PAM.
You should upload from ROOT CA Certificate down the order of subOrdinate CA certificates.
Navigate to "Config - Security - Certificate - Upload" and perform the following.
You will get a notification that it was successfully uploaded.
Repeat this step until you have imported all the CA and Subordinate CA certificates.
You can verify that it was imported into the correct section by going to "Download" tab and from the dropdown list.
Next, import the server certificate.
Go back to "Upload" tab and perform the following:
The "Destination Filename" IS VERY IMPORTANT and you must have it match the private key filename(do not specify the extension, PAM will add it for you)!
You should get a notification.
Now you can verify the certificate is imported correctly.