Loaded server certificate cannot be selected for server authentication


Article ID: 6482


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)


We obtained a new server certificate and loaded it into PAM with the full cert chain, but it does not show up in the list of certificates on the Config > Security page under "Set Certificate". The certificate has extended key usage "Any purpose", which should include server authentication.


CA PAM does not accept the generic "Any purpose" extended key usage. If extended key usage is defined, it has to include Server Authentication explicitly.


Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY


There is no workaround. You will have to obtain a new certificate that specifically includes Server Authentication in the Extended Key Usage attribute. A certificate w/o any extended key usage defined should work, but we recommend to be specific in the key usage. If you want to use the same certificate to sign the CA PAM applet jar files, make sure to include the Code Signing extended key usage.