What are the certificate options for the Password Capture Agent? (210583)

What are the certificate options for the Password Capture Agent?

When looking for further technical details regarding certificates for the One Identity Manager Password Capture Agent the main requirement during a normal setup is that the Web Server certificate be made available for validation on the Domain Controllers certificate store. The .NET methods are strict about certificate verification so it is important that the certificate host name match the Web Server host name exactly. 

Furthermore the environment (domain group policy objects and or IIS settings) could limit the following regarding certifications:

- Certificate signing algorithms

- Certificate hashing mechanisms 

- Encryption protocols

- Ciphers

- Hashes

- Key exchange algorithms 

 

Regarding the certificate itself, there should be no restrictions for the encryption, it can be a self-signed certificate with the only requirement being that it has to exist under a domain controller and service host, including both private keys. Neither .NET or Identity Manager check for the key usage or enhanced key usage. The only requirement being that the web service host be able to decrypt the messages received from the domain controller.