Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

One Identity Safeguard for Privileged Passwords 6.0.9 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Creating a Certificate Signing Request for audit logs

If you do not want to use a default sessions certificate provided with Safeguard for Privileged Passwords, you can enroll a certificate using a Certificate Signing Request (CSR) to replace the default certificate.

To create a CSR for an audit log signing certificate

  1. Navigate to Administrative Tools | Settings | Certificates | Audit Log Signing Certificate.
  2. Click the Add Certificate button for the certificate to be replaced and select Create Certificate Signing Request (CSR).
  3. In the Certificate Signing Request dialog, enter the following information:
    1. Subject (Distinguished Name): Enter the distinguished name of the person or entity to whom the certificate is being issued. Maximum length of 500 characters.

      NOTE: Click Use Distinguished Name Creator to create the distinguished name based on fully-qualified domain name, department, organization unit, locality, state/county/region, and country.

    2. Alternate DNS Names: Optionally, enter additional or alternate host names (such as, IP addresses, sites, or common names) that are to be protected by this certificate.
    3. Key Size: Select the bit length of the private key pair. The bit length determines the security level of the certificate. A higher bit length means stronger security.

      • 1024
      • 2048 (default)
      • 4096

  4. Click OK to save your selections and enroll the certificate.

    Certificates enrolled via CSR are listed in the Certificate Signing Request pane.

Certificate Signing Request

Some certificates require a digital signature before a certification authority (CA) can process the certificate request. The Certificate Signing Request pane displays details about any certificates enrolled via Certificate Signing Requests (CSRs). From this pane, you can also delete a CSR.

NOTE: Safeguard for Privileged Passwords supports the Public-Key Cryptography Standard (PKCS) #10 format for CSRs.

Navigate to Administrative Tools | Settings | Certificates | Certificate Signing Request. Certificates enrolled via a CSR appear on this pane including the following details.

Table 135: Certificate Signing Request: Properties
Property Description
Subject

The distinguished name of the person or entity to whom the certificate is being issued

Certificate Type

The type of certificate requested:

  • Audit Log Signing Certificate
  • SSL Certificate
Thumbprint A unique hash value that identifies the certificate
Key Size The bit length of the private key pair

Use these toolbar buttons to manage certificate signing requests.

Table 136: Certificate Signing Request: Toolbar
Option Description
Delete Selected

Delete the selected CSR from Safeguard for Privileged Passwords.

Refresh Update the list of CSRs.

SSL Certificates

Safeguard for Privileged Passwords enables an Appliance Administrator to upload SSL certificates with private keys or enroll SSL certificates via a CSR.

Initially, the default self-signed SSL certificate used for HTTPS is listed and assigned to the appliance. This default certificate is not a trusted certificate and should be replaced.

Navigate to Administrative Tools | Settings | Certificates | SSL Certificates. The SSL Certificates pane displays the following information for the SSL certificates stored in the database.

Table 137: SSL Certificates: Properties
Property Description
Appliances

Lists the name of the appliance to which the certificate is assigned.

Subject

The name of the subject (such as user, program, computer, service, or other entity) assigned to the certificate when it was requested.

Alternate DNS Names

Additional or alternate host names (such as IP addresses, sites, common names) that were specified when the certificate was requested. For the default self-signed SSL certificate, the name and IP address of the appliance is used.

Invalid Before

A start date and time that must be met before a certificate can be used.

Expiration Date

The date and time when the certificate expires and can no longer be used.

Thumbprint

A unique hash value that identifies the certificate.

Issued By

The name of the certificate authority (CA) that issued the certificate.

Use these toolbar buttons to manage SSL certificates.

Table 138: SSL Certificates: Toolbar
Option Description
Add Certificate | Upload Certificate

Upload an SSL certificate.

For more information, see Installing an SSL certificate.

Add Certificate | Create Certificate Signing Request (CSR)

Create a CSR to enroll a certificate.

For more information, see Creating a Certificate Signing Request.

Assign Certificate to Appliance(s)

Assign the selected certificate to one or more appliances.

For more information, see Assigning a certificate to appliances.

Unassign Certificate

Unassign the selected certificate from one or more appliances.

Delete Selected

Delete the selected certificate from Safeguard for Privileged Passwords.

Refresh

Update the list of SSL certificates available (uploaded to Safeguard for Privileged Passwords).

Installing an SSL certificate

To install an SSL certificate

  1. Navigate to Administrative Tools | Settings | Certificates | SSL Certificates.
  2. Click Add Certificate and select Upload Certificate.
  3. Browse to select the certificate file.
  4. After the certificate has been uploaded, assign the certificate to one or more appliances. For more information, see Assigning a certificate to appliances.

    You may also upload the certificate's root CA to the list of trusted certificates. For more information, see Trusted Certificates.

Caution: Improper access to the private SSL key could compromise traffic to and from the appliance. For the most secure configuration, create a Certificate Signature Request (CSR) and have it signed by your normal signing authority.

Then use the signed request as your Safeguard for Privileged Passwords SSL Webserver Certificate. This way, no administrator will have access to the private SSL key that is used by Safeguard for Privileged Passwords and the traffic will be secure.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating