Creating a Certificate Signing Request for audit logs
If you do not want to use a default sessions certificate provided with Safeguard for Privileged Passwords, you can enroll a certificate using a Certificate Signing Request (CSR) to replace the default certificate.
To create a CSR for an audit log signing certificate
- Navigate to Administrative Tools | Settings | Certificates | Audit Log Signing Certificate.
- Click the Add Certificate button for the certificate to be replaced and select Create Certificate Signing Request (CSR).
- In the Certificate Signing Request dialog, enter the following information:
-
Subject (Distinguished Name): Enter the distinguished name of the person or entity to whom the certificate is being issued. Maximum length of 500 characters.
Note: Click Use Distinguished Name Creator to create the distinguished name based on fully-qualified domain name, department, organization unit, locality, state/county/region, and country.
- Alternate DNS Names: Optionally, enter additional or alternate host names (such as, IP addresses, sites, or common names) that are to be protected by this certificate.
-
Key Size: Select the bit length of the private key pair:
NOTE: The bit length determines the security level of the certificate. A higher bit length means stronger security.
-
Click OK to save your selections and enroll the certificate.
Certificates enrolled via CSR are listed in the Certificate Signing Request pane.
Certificate Signing Request
Some certificates require a digital signature before a certification authority (CA) can process the certificate request. The Certificate Signing Request pane displays details about any certificates enrolled via Certificate Signing Requests (CSRs). From this pane, you can also delete a CSR.
NOTE:Safeguard for Privileged Passwords supports the Public-Key Cryptography Standard (PKCS) #10 format for CSRs.
Navigate to Administrative Tools | Settings | Certificates | Certificate Signing Request. Certificates enrolled via a CSR appear on this pane including the following details.
Table 132: Certificate Signing Request: Properties
Subject |
The distinguished name of the person or entity to whom the certificate is being issued |
Certificate Type |
The type of certificate requested:
- Audit Log Signing Certificate
- SSL Certificate
|
Thumbprint |
A unique hash value that identifies the certificate |
Key Size |
The bit length of the private key pair |
Use these toolbar buttons to manage certificate signing requests.
Table 133: Certificate Signing Request: Toolbar
Delete Selected |
Delete the selected CSR from Safeguard for Privileged Passwords. |
Refresh |
Update the list of CSRs. |
SSL Certificates
Safeguard for Privileged Passwords enables an Appliance Administrator to upload SSL certificates with private keys or enroll SSL certificates via a CSR.
Initially, the default self-signed SSL certificate used for HTTPS is listed and assigned to the appliance. This default certificate is not a trusted certificate and should be replaced.
Navigate to Administrative Tools | Settings | Certificates | SSL Certificates. The SSL Certificates pane displays the following information for the SSL certificates stored in the database.
Table 134: SSL Certificates: Properties
Appliances |
Lists the name of the appliance to which the certificate is assigned. |
Subject |
The name of the subject (such as user, program, computer, service, or other entity) assigned to the certificate when it was requested. |
Alternate DNS Names |
Additional or alternate host names (such as IP addresses, sites, common names) that were specified when the certificate was requested. For the default self-signed SSL certificate, the name and IP address of the appliance is used. |
Invalid Before |
A start date and time that must be met before a certificate can be used. |
Expiration Date |
The date and time when the certificate expires and can no longer be used. |
Thumbprint |
A unique hash value that identifies the certificate. |
Issued By |
The name of the certificate authority (CA) that issued the certificate. |
Use these toolbar buttons to manage SSL certificates.
Installing an SSL certificate
To install an SSL certificate
- Navigate to Administrative Tools | Settings | Certificates | SSL Certificates.
- Click Add Certificate and select Upload Certificate.
- Browse to select the certificate file.
-
After the certificate has been uploaded, assign the certificate to one or more appliances. For more information, see Assigning a certificate to appliances.
You may also upload the certificate's root CA to the list of trusted certificates. For more information, see Trusted Certificates.
|
Caution: Improper access to the private SSL key could compromise traffic to and from the appliance. For the most secure configuration, create a Certificate Signature Request (CSR) and have it signed by your normal signing authority.
Then use the signed request as your Safeguard for Privileged Passwords SSL Webserver Certificate. This way, no administrator will have access to the private SSL key that is used by Safeguard for Privileged Passwords and the traffic will be secure. |