At a number of places, One Identity Safeguard for Privileged Sessions (SPS) can generate the server certificates on the fly. This technique is used for example in SSL-encrypted RDP sessions, RDP sessions that use Network Level Authentication (CredSSP), or SSH connections that use X.509-based authentication.
|
NOTE:
Note the following points about using signing CAs:
|
To create a signing CA
Navigate to Policies > Signing CAs and click .
Figure 159: Policies > Signing CAs — Creating Signing CAs - Local
To upload a CA certificate and its private key, complete the following steps. Skip this step if you want to generate a CA on SPS.
Click Edit in the CA X.509 certificate field and upload the certificate of the certificate authority. Alternatively, you can upload a certificate chain, where one member of the chain is the CA that will sign the certificates.
Click Edit in the CA private key field and upload the private key of the certificate authority that will sign the certificates.
(Optional) Enter the URL of the Certificate Revocation List (CRL) that you generated using your Certificate Authority in your Public Key Infrastructure (PKI) solution. The URL pointing to this CRL will be included in the certificate. This is the CRL information that will be shown to clients connecting to SPS.
Note that the CRL list is not generated by the internal CA of SPS. The list must come from your own PKI solution.
Click .
To generate a CA certificate on SPS, complete the following steps:
Enter the Common Name for the CA certificate into the Common Name field. This name will be visible in the Issued By field of the certificates signed by this CA.
Fill the other fields as required, then click Generate private key and certificate.
Click .
Figure 160: Policies > Signing CAs — Creating Signing CAs - External Plugin
From the Plugin field, select an uploaded external plugin using the drop-down menu.
To be able to select from the drop-down menu, you must have an external plugin uploaded in Basic Settings > Plugins > Signing CAs.
For more information about how to create an external Signing CA plugin, see Creating an external Signing CA.
Optionally, fill the Configuration field as required by the uploaded plugin.
The input you enter in the Configuration field is passed down to the plugin.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center