ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Certificate details differ in PAM Client and the browser

book

Article ID: 199058

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When you compare certificate details from the one provided by browser and the one imported in the PAM client, the certificate's serial number is the same but the public key is different. Since it is the same certificate  why is there such a difference ?

See for instance





Cause

This is working as designed. It is because the client keystore is based upon the java keystore and so it keeps the certificate in a different format as the browser and, in particular, the public key is represented in a different way

Environment

PRIVILEGED ACCESS MANAGEMENT, all versions

Resolution

There is no resolution as this is working as designed. However, if one wants to double-check we are talking abut teh same certificate one can follow this procedure:

The CA PAM Client certificates are in the CA PAM Client  directory, in a file called cacerts, so if one know the alias of the certificate one is trying to check (which will show when you open the properties of the certificate in the PAM Client Certificate Store tab) one can do

keytool -list -rfc -keystore cacerts -alias <certificate_alias_here> | openssl x509 -inform pem -pubkey -noout

That uses keytool to export the certificate to a x509 format and then openssl to retrieve the key. It will ask for a password which is blank by default.

If one then exports the certificate from Windows in der format one can do as before

openssl x509 -inform der -pubkey -noout -in <certificate_exported_from_windows_here>

Comparing the keys, both should be the same

Attachments