There are three certificates used by Safeguard to provide Privileged Session functionality:
- Timestamping Authority Certificate – proves when a specific recording happened.
- Recording Signing Certificate – proves that a recording is authentic & unmodified.
- RDP Connection Signing Certificate – secures RDP connections (SSH sessions are secured by SSH key)
Each of these certificates must be trusted by the client workstations that will be making session requests and running RDP sessions. This may be accomplished by signing the certificates with an enterprise root authority that is trusted by the client workstations (recommended), or the certificates may be distributed to each workstation via group policy or other distribution means.
While Safeguard ships with default certificates, customers may upload their own, and One Identity suggests that customers do so.
More information can be found in the OneIdentitySafeguard_2.1_CertificateGuide_en-us file attached