After the certificate has been uploaded, assign the certificate to one or more appliances. For more information, see Assigning a certificate to appliances.
You may also upload the certificate's root CA to the list of trusted certificates. For more information, see Trusted Certificates.
Caution: Improper access to the private SSL key could compromise traffic to and from the appliance. For the most secure configuration, create a Certificate Signature Request (CSR) and have it signed by your normal signing authority.
Then use the signed request as your Safeguard for Privileged Passwords SSL Webserver Certificate. This way, no administrator will have access to the private SSL key that is used by Safeguard for Privileged Passwords and the traffic will be secure.
A certificate signing request (CSR) is submitted to a Certificate Authority (CA) to obtain a digitally signed certificate. When creating a CSR, you uniquely identify the user or entity that will use the requested certificate. Safeguard for Privileged Passwords allows you to upload or enroll SSL certificates using CSRs. Once uploaded or enrolled, the SSL certificate is added to the SSL certificate store allowing you to assign it to one or more Safeguard for Privileged Passwords Appliances.
Subject (Distinguished Name): Enter the distinguished name of the person or entity to whom the certificate is being issued. Maximum length of 500 characters.
Note: Click Use Distinguished Name Creator to create the distinguished name based on fully-qualified domain name, department, organization unit, locality, state/county/region, and country.
Key Size: Select the bit length of the private key pair:
NOTE: The bit length determines the security level of the SSL certificate. A higher bit length means stronger security.
Click OK to save your selections and enroll the certificate.
Certificates enrolled via CSR are listed in the SSL Certificates pane and the Certificate Signing Request pane.
Safeguard for Privileged Passwords supports an SSL certificate store that is owned by the cluster. This allows you to assign any SSL certificate that you have previously uploaded or enrolled via CSR to any appliance in your clustered environment.
It is the responsibility of the Appliance Administrator to add or remove trusted root certificates to the Safeguard for Privileged Passwords Appliance, if necessary, in order for the SSL certificate to resolve the chain of authority. When Safeguard for Privileged Passwords connects to an asset that has the Verify SSL Certificate option enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the trusted certificate store.
Navigate to Administrative Tools | Settings | Certificates | Trusted Certificates. The Trusted Certificates pane displays the following information for the user-supplied certificates added to the trusted certificate store.
|Subject||The name of the subject (such as user, program, computer, service or other entity) assigned to the certificate when it was requested.|
|Invalid Before||A "start" date and time that must be met before a certificate can be used.|
|Expiration Date||The date and time when the certificate expires and can no longer be used.|
|Thumbprint||A unique hash value that identifies the certificate.|
|Issued By||The name of the certificate authority (CA) that issued the certificate.|