Create a signed certificate and keystore for PAM Threat Analytics
search cancel

Create a signed certificate and keystore for PAM Threat Analytics

book

Article ID: 280712

calendar_today

Updated On:

Products

CA Threat Analytics for PAM

Issue/Introduction

Applying a signed certificate for CA PAM Threat Analytics works differently than applying on a CA PAM server or cluster.  For a PAM appliance the certificates are expected in an X509 or PKCS formatted file while the Threat Analytics server expects a Java based JKS formatted key store. The application of this is defined in the product manuals but since the procedure to request a signed certificate and format differs dramatically, we are describing one way to simplify this. You only need a properly formatted keystore (jks) so you do not need to follow these steps if you already have a valid keystore.

Note: You do not need the Threat Analytics server to use the same server certificates as your PAM cluster, it does make sense that they are signed by the same Certificate Authority to avoid any confusion when loading both services in the same machine or browser. 

Resolution

This procedure was tested with Java version 1.8. Newer Java versions may alter optional parameters.

Before starting this process, you should create a secure password to use for this keystore. You will need this throughout the process.

Open a command prompt (CMD.exe)

Next, ensure you have your PATH variable set to include the java path.

SET PATH=%PATH%;C:\Program Files\<java jdk path>\bin

Change directory to the destination location for the new keystore (jks).

cd c:/<directory to store new jks>

 

Create a new JKS with SANs defined.

keytool -alias server -dname "cn=<Threat Analytics Server>, o=<Organization/Company>, c=<Country Code> st=<State or Province>" -genkeypair -ext san=dns:<short_hostname>,dns:<FQDN>,ip:<host IP> -storepass <secure password> -keyalg RSA -keystore <hostname-date>.jks

 

[Optional- There are several options that may be required by your signing authority.]

-dname "
cn=<Threat Analytics Server>, 
o=<Organization/Company>, 
ou=<Organizational Unit>,
c=<Country Code>,
st=<State or Province>,
i=<Locality/City>,
dc=<domain components>
"

  

 

Create a csr defining Subject Alternative Names in csr   

keytool –keystore <hostname-date>.jks –certreq –alias server -ext san=dns:<short_hostname>,dns:<FQDN>,ip:<host IP> -keyalg RSA -file <hostname-date>.csr

 

[ Optional - Create a CSR request without SANs ]

keytool –keystore <hostname-date>.jks –certreq –alias server  -keyalg RSA -file <hostname-date>.csr

 

 

Submit the CSR to Signing Certificate Authority

 

Import the certificates received from the CA in the following order. 

keytool -importcert -alias root -keystore <hostname-date>.jks -trustcacerts -file <root>.crt 

keytool -importcert -alias intermediate -keystore <hostname-date>.jks -trustcacerts -file <intermediate>.crt

keytool -import -alias server -keystore <hostname-date>.jks  -file <hostname-server-date>.crt

 

Note:  When you first enter the root certificate you will be prompted to trust the certificate. If that is successful you will not be prompted to trust the intermediate nor the server certificate since they are already trusted by the root certificate. If any of these input commands fail you should work with your TLS certificate team to resolve.

 

Additionally: If your certificate or certificate chain was delivered in a p7b format you would need to export these certificates from certmgr or using openssl comands.

                   

Confirm the certificate store is complete before importing into PAM Threat Analytics appliance.

keytool -v -list -keystore <hostname-date>.jks



Powered by Wolken Software