search cancel

[PAM] Applying SSL Certificate and its file extensions

book

Article ID: 202685

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The steps are well documented below.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-3-2/implementing/configuring-your-server/configure-security-settings/create-a-self-signed-certificate-or-a-certificate-signing-request/request-certificates-for-a-cluster.html

 

Environment

Release : 3.x / 4.0.x/4.1.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

The documentation provides detailed instructions but there are things a PAM Administrator need to be aware when applying certificates.

The confusing part is the "Filename".

There are times when you should not specify an extension otherwise you will have <filename>.<extension>.[pem|crt|cer] which will be double extension.

And there is a time when you should specify an extension otherwise you will have <filename> which lacks an extension.

 

 

1. When generating CSR, at the "Filename" field you only need to provide a name without extension.

a ".pem" extension will be added automatically.

At the Download tab you will find the filename is actually having the ".pem" extension.

You can also find the private key has ".key" extension although not specified.

 

2. When importing CA certificate (or its chain), "Destination Filename" must include extension.

Following is a demonstration when the extension is not specified.

If the certificate is a binary(DER) file then choose X.509

If the certificate is a text(BASE64) file then choose PKCS

 

 

3. When importing the signed certificate, you do not need to specify the extension.

You can check the certificate is assigned a ".crt" extension.

 

4. Next is to goto "Set" tab and select the newly uploaded Certificate(only the ones have a keypair will be listed) and click ACCEPT.

This will reboot your PAM node and new certificate will be in effect.

Note that in current releases the reboot may not be automatic. You will be asked to do a reboot. You can do some administrative tasks between setting the new certificate and performing the reboot (from the Configuration > Power page), but this time interval should be kept short as PAM user sessions likely will have problems while the new certificate is set, but the node hasn't been rebooted yet. In general we recommend to put a node in maintenance mode, wait for user sessions to end, update the certificate, reboot and then take the node out of maintenance mode. In an active cluster this should be done one node at a time in the primary site. In secondary sites the site leader should be updated separately from the other site nodes.

 

Attachments