The Audit Log Signing Certificate pane on the Certificates setting page displays details about the certificate used to sign the audit log files saved to an archive server. The audit log signing certificate proves that the audit logs were created by and came from a particular Safeguard for Privileged Passwords cluster.
This signing certificate is used by administrators who want to verify that the exported Audit Log History originated from their Safeguard for Privileged Passwords cluster. This certificate's public key, in addition to the certificate's issuer, must be available if you wish to validate the signed audit log.
It is recommended to generate the CSR from within the Safeguard for Privileged Passwords user interface using the Add Certificate | Create Certificate Signing Request (CSR) option. The administrator will have a copy of the public key which will be used to verify the validity of the archived audit logs.
While Safeguard for Privileged Passwords ships a default audit log signing certificate, One Identity recommends that you load your own.
If you replace the default certificate with your own, the certificate must have the following:
You can have only one audit log signing certificate defined, which is used by all Safeguard for Privileged Passwords Appliances in the same cluster. That is, Safeguard for Privileged Passwords uses the default certificate or a certificate you uploaded to replace the default certificate.
Navigate to Administrative Tools | Settings | Certificates | Audit Log Signing Certificate. The following properties and controls are available to manage your audit log signing certificate.
Click Refresh to update the certificate displayed on the Audit Log Certificates pane.
The name of the subject (such as user, program, computer, service or other entity) assigned to the certificate when it was requested.
A unique hash value that identifies the certificate.
Click Add Certificate and select one of the following options to replace the default certificate with a new certificate:
Click Use Default to reset the certificate back to the default.
If you do not want to use the default certificate provided with Safeguard for Privileged Passwords, you can replace it with another certificate with a private key.
NOTE: For uploading certificates with private keys, Safeguard for Privileged Passwords supports .pfx ( or .p12) files which follow the PKCS #12 standard.
Click the Add Certificate button for the sessions certificate to be replaced. Select the appropriate option:
If you do not want to use a default sessions certificate provided with Safeguard for Privileged Passwords, you can enroll a certificate using a Certificate Signing Request (CSR) to replace the default certificate.
Subject (Distinguished Name): Enter the distinguished name of the person or entity to whom the certificate is being issued. Maximum length of 500 characters.
Note: Click Use Distinguished Name Creator to create the distinguished name based on fully-qualified domain name, department, organization unit, locality, state/county/region, and country.
Key Size: Select the bit length of the private key pair:
NOTE: The bit length determines the security level of the certificate. A higher bit length means stronger security.
Click OK to save your selections and enroll the certificate.
Certificates enrolled via CSR are listed in the Certificate Signing Request pane.
Some certificates require a digital signature before a certification authority (CA) can process the certificate request. The Certificate Signing Request pane displays details about any certificates enrolled via Certificate Signing Requests (CSRs). From this pane, you can also delete a CSR.
|NOTE: Safeguard for Privileged Passwords supports the Public-Key Cryptography Standard (PKCS) #10 format for CSRs.|
Navigate to Administrative Tools | Settings | Certificates | Certificate Signing Request. Certificates enrolled via a CSR appear on this pane including the following details.
The distinguished name of the person or entity to whom the certificate is being issued.
The type of certificate requested:
|Thumbprint||A unique hash value that identifies the certificate.|
|Key Size||The bit length of the private key pair.|
Use these toolbar buttons to manage certificate signing requests.
Delete the selected CSR from Safeguard for Privileged Passwords.
|Refresh||Update the list of CSRs.|