Configuring a web server certificate for PAS

To create a web server certificate for your Centrify PAS environment, perform the following steps:

  1. Create a web server certificate template with an exportable private key.
  2. Generate a wildcard certificate for your web servers (*.domain.com).
  3. Export the certificate plus the private key into a file.

To create a web server certificate template to allow exporting for private keys, perform the following steps:

  1. In your domain’s Certification Authority (CA), open the Certification Authority program and expand the CA.

  2. Right-click Certificate Templates and select Manage. This opens the Certificate Templates console.

  1. Scroll down and right click the Web Server template and select Duplicate Template This opens the new certificate template window.

  2. Navigate to the Compatibility Settings tab:

    1. For the Certification Authority field, select Windows Server 2012 R2 or higher.

    2. For the Certificate Recipient fields, select Windows 8.1/ Windows Server 2012 R2 or higher.

  3. Navigate to the General tab > Template display name and set it to “Web Server with Exportable Key” (no quotes).

  4. Navigate to the Request Handling tab and check the checkbox “Allow the private key to be exported.”

  5. Navigate to the Security tab. Here, authenticated users are highlighted. In the lower pane, check the boxes for Enroll and AutoEnroll.

  6. Click OK. This will save this new Certificate Template and close the Certificate Templates Window.

  7. Back in the Certification Authority console, right click Certificate Templates > New > Certificate Templates to Issue. This opens the Enable Certificate Templates window.

  8. Scroll down to Web Server with Exportable Key and click OK. The modified template is now ready for use through group policy.

  9. Close the Certification Authority console.

  1. In the server where you’re going to install Centrify Privileged Access Service, open the mmc.exe program.

  2. In the MMC program, navigate to File > Add/Remove Snap-ins add the Certificates (Computer) snap-in and click Add.

  3. For Certificates snap-in, choose Computer account and click Next.

  4. For the Select computer screen, keep all default and click Finish and then click OK.

  5. Navigate back to the console, and under Console Root, right-click Personal > All Tasks > Request New Certificate. Click Next on the Certificate Enrollment screen. On the Select Certificate Enrollment Policy screen, ensure you have Active Directory Enrollment Policy and click Next.

  6. For Request Certificate, click the checkbox for Web Server with Exportable Key and click the hyperlink directly beneath the selection entitled More information is required to enroll for this certificate. Click here to configure settings.

  7. Navigate to Subject, for Subject name, choose Common name. For Value enter the name of the server where you’re going to install Centrify PAS and click Add.

    Note:   If you are installing Hyper-scalable PAS across multiple servers, provide the FQDN of your PAS installation(example: vault.mydomain.com).

    For Alternative name, choose DNS and then there are two options:

    • Enter *.<your-domain.com> if your web server names will be changing with each upgrade. You will use this option if you are creating new web server machines with each upgrade.
    • Enter the FQDN list of each web server in your cluster if you have a fixed set of web servers that will remain the same after each upgrade. This upgrade process would involve uninstalling the current version on each web server, installing the upgraded package, and keeping the same machine.

  8. Click OK and then Enroll. You should see success.

  9. In the Certificates snap-in, navigate to Personal > Certificates and double-click the generated certificate. Navigate to the Details tab, and verify that the algorithm is SHA256 (if you followed the steps in the section above). Scroll down to Subject Alternative name, and verify that the DNS name is *.<your-domain.com>.

    Keep the Certificates snap-in open for the export process.

  1. Under Personal > Certificates, right click the Centrify (or the name of the server) Certificate and select Export.

  2. On the welcome page click Next.

  3. On the Export Private Key screen, select Yes, export the private key and click Next.

  4. For Export File Format, keep default (Personal Information Exchange - PKCS # 12 (.PFX)) and click Next.

  5. For the Security screen, click the checkbox Group or user names (recommended).

    Click Add. For the Select User, Computer, Service Account, or Group screen, in the field Enter the object name to select (examples) enter domain admin and click Check Names:

    Click OK and click Next.

  1. For File to Export, name the file and click Save.

  2. Click Next. Make a note of this location, you’ll need it during Centrify setup (example: c:\centrify\centrify.pfx).

  3. Lastly, for the Completing the Certificate Export Wizard screen, click Finish. You will see a screen pop up stating the export was successful. Click OK.

    You will provide this file when asked to supply the web server certificate for your installation.