How to deploy a certificate issued by customer's internal Certification Authority into CA PAM?

book

Article ID: 14616

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

Customer has their own Certification Authority to issue certificates to their internal servers. Since this is an internal rootCA, it is not known by any standard browser nor the JVM, as well as it is unknown to CA PAM. In this article we will describe the steps you need to follow to import the certificate into CA PAM properly.

 

The steps on this article intend to work around the error "could not identify local issuer".



How to deploy a certificate issued by customer's internal Certification Authority into CA PAM?

Environment

Release: PAMDKT99500-2.8-Privileged Access Manager-NSX API PROXY
Component:

Resolution

1. Export the root CA from the Certificate Authority and any intermediate CA that may be listed on the appliance certificate chain; 

2. Open the CA PAM client and navigate to Config / Security; 

3. Under Certificates, select CA Bundles and import the root CA and intermediate CA; 

4. Configure the CRL to Automatic, pointing to the rootCA CRL URL; 

5. Import the appliance certificate. Before importing, ensure that the certificate file name end in .crt and not .cer (or something else). The certificate, after being imported to CA PAM, must be listed as <filename>.crt - also, it is important to remember to set the certificate file with the same name as the CSR was set (for example, if you used the default value, the CSR was created as default.pem - so the certificate file must be imported as default.crt)

Additional Information

See also

How to use MS PKI to sign the certificate request issued by Xsuite

https://comm.support.ca.com/kb/how-to-use-ms-pki-to-sign-the-certificate-request-issued-by-xsuite/kb000042197