Return
-
Title
What are the certificate options for the Password Capture Agent? -
Description
When looking for further technical details regarding certificates for the One Identity Manager Password Capture Agent, the main requirement during a normal setup is that the Web Server certificate is made available for validation on the Domain Controller's certificate store. The .NET methods are strict about certificate verification so it is important that the certificate hostname match the Web Server hostname exactly.
Furthermore, the environment (domain group policy objects and or IIS settings) could limit the following regarding certifications:
- Certificate signing algorithms
- Certificate hashing mechanisms
- Encryption protocols
- Ciphers
- Hashes
- Key exchange algorithms -
Resolution
Regarding the certificate itself, there should be no restrictions for the encryption, it can be a self-signed certificate with the only requirement being that it has to exist under a domain controller and service host, including both private keys. Neither .NET or Identity Manager check for the key usage or enhanced key usage. The only requirement being that the web service host be able to decrypt the messages received from the domain controller.