At a number of places, One Identity Safeguard for Privileged Sessions (SPS) can generate the server certificates on the fly. This technique is used for example in SSL-encrypted RDP sessions, RDP sessions that use Network Level Authentication (CredSSP), or SSH connections that use X.509-based authentication.

NOTE: Note the following points about using signing CAs:

  • Signing CAs require a CA certificate permitted to sign certificates, and also the corresponding private key.

  • These CAs cannot be used to sign audit trails. For details on how to configure the certificates used to sign audit trails, see Digitally signing audit trails.

  • The version of the generated certificates will be the same as the version of the signing CA.

  • SPS ignores the CRL (from the crlDistributionPoints extension) of the signing CA when generating certificates. If you want to include a CRL in the generated certificates, you must set it manually. See the following steps for details.

To create a signing CA using the built-in signing CA solution

  1. Navigate to Policies > Signing CAs and click .

  2. Select Local.

  3. Enter a name for the CA into the topmost field.

    Figure 170: Policies > Signing CAs — Creating Signing CAs - Local

  4. To upload a CA certificate and its private key, complete the following steps. Skip this step if you want to generate a CA on SPS.

    1. Click Edit in the CA X.509 certificate field and upload the certificate of the certificate authority. Alternatively, you can upload a certificate chain, where one member of the chain is the CA that will sign the certificates.

    2. Click Edit in the CA private key field and upload the private key of the certificate authority that will sign the certificates.

    3. (Optional) Enter the URL of the Certificate Revocation List (CRL) that you generated using your Certificate Authority in your Public Key Infrastructure (PKI) solution. The URL pointing to this CRL will be included in the certificate. This is the CRL information that will be shown to clients connecting to SPS.

      Note that the CRL list is not generated by the internal CA of SPS. The list must come from your own PKI solution.

    4. Click .

  5. To generate a CA certificate on SPS, complete the following steps:

    1. Enter the Common Name for the CA certificate into the Common Name field. This name will be visible in the Issued By field of the certificates signed by this CA.

    2. Fill the other fields as required, then click Generate private key and certificate.

    3. Click .

To create a signing CA using an external signing CA plugin

  1. Navigate to Policies > Signing CAs and click .

  2. Select External Plugin.

  3. Enter a name for the CA into the topmost field.

    Figure 171: Policies > Signing CAs — Creating Signing CAs - External Plugin

  4. From the Plugin field, select an uploaded external plugin using the drop-down menu.

    To be able to select from the drop-down menu, you must have an external plugin uploaded in Basic Settings > Plugins.

    For more information about how to create an external Signing CA plugin, see Creating an external Signing CA.

  5. Optionally, fill the Configuration field as required by the uploaded plugin.

    The input you enter in the Configuration field is passed down to the plugin.