Loaded server certificate cannot be selected for server authentication

book

Article ID: 6482

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

We obtained a new server certificate and loaded it into PAM with the full cert chain, but it does not show up in the list of certificates on the Config > Security page under "Set Certificate". The certificate has extended key usage "Any purpose", which should include server authentication.

Cause

CA PAM does not accept the generic "Any purpose" extended key usage. If extended key usage is defined, it has to include Server Authentication explicitly.

Environment

Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY
Component:

Resolution

There is no workaround. You will have to obtain a new certificate that specifically includes Server Authentication in the Extended Key Usage attribute. A certificate w/o any extended key usage defined should work, but we recommend to be specific in the key usage. If you want to use the same certificate to sign the CA PAM applet jar files, make sure to include the Code Signing extended key usage.