Depending on the requirements of your organization and the configuration of your KeySecure appliance, you might have different options for creating or identifying the CA certificate to use for authentication. For example, one simple approach would be to create a local certificate authority for the KeySecure appliance as a self-signed root certificate. Alternatively, you might create a local CA certificate through an intermediate CA request or select an existing CA certificate that you use for other services.
Regardless of the method you use to create or identify the KeySecure CA certificate, you will need to upload the CA certificate to the Privileged Access Service. The steps in this section describe how to create a local certificate authority as a self-signed root certificate.
To create a new local certificate authority:
- Log on to the KeySecure management console as an administrator with permission to access Certificate Authorities.
- Click the Security tab to display the Device CAs and SSL Certificates section, then click Local CA.
- Under Create Local Certificate Authority on the Certificate and CA Configuration page, enter the appropriate information for all fields.
- Select either Self-signed Root CA or Intermediate CA Request as the certificate authority type.
If you create a self-signed root CA, you must also specify certificate duration and a maximum user certificate duration. If you are creating a self-signed root CA, you must also manually add it to the list of trusted CAs before it can be used.
If you create an intermediate CA request, you must sign the request using an existing trusted intermediate CA or your organization’s root CA. When creating an intermediate CA request, you must also specify a maximum user certificate duration when installing the certificate response. The user certificate duration cannot be longer than the signing CA certificate’s duration.
Click Create to create the local certificate authority for KeySecure.
If the local certificate authority is a self-signed root certificate, there are a few additional steps.
Under Device CAs and SSL Certificates, click Trusted CA Lists.
Under Trusted Certificate Authority List Profiles, select Default or another profile, then click Properties.
Alternatively, you can click Add to create a new profile, then select the new profile and click Properties.
Click Edit to add the local CA certificate to the list of trusted CA certificates.
Select the self-signed root CA from the list of Available CAs, click Add, then click Save.