Symantec Privileged Access Management

 View Only
  • 1.  About Creation of CSR for your CA PAM certificate

    Posted Mar 23, 2020 02:31 PM
    ​do we need to create the CSR for your both appliances that are cluster together and then install the certificate for each appliances .

    Or you can just create a CSR for your primary node and use the same certificate and key to install to your secondary node ?


    ------------------------------
    FCA Company
    ------------------------------


  • 2.  RE: About Creation of CSR for your CA PAM certificate
    Best Answer

    Broadcom Employee
    Posted Mar 23, 2020 08:35 PM
    Nikki

    The best way to handle this is to create a single CSR using the VIP hostname  but also be sure to include all hostnames and IPs for the VIP address and all nodes in the CSR. The same certificate can be used for all nodes in the cluster. Most current browsers no longer use the CN of the certificate and rely only on the SANs (subject Alternative Names) so include all names that can be used to access all nodes. Also, be sure to remember the CSR file name will be used to enter the certificate once you receive it from the certificate authority and to avoid issues when exporting the combined certificate and key use a password without special characters to avoid confusion when loading into the second and more nodes.

    Joe


  • 3.  RE: About Creation of CSR for your CA PAM certificate

    Posted Mar 24, 2020 08:51 AM
    ​Thanks for your reply, do we still keep the old certificate in CA PAM after we load the new one or do we need to delete them?



    ------------------------------
    FCA Company
    ------------------------------



  • 4.  RE: About Creation of CSR for your CA PAM certificate

    Broadcom Employee
    Posted Mar 24, 2020 09:58 AM
    Nikki
    Once you have uploaded, set and confirmed the new certificates across you cluster you should remove them to avoid any confusion or future use. The certificates are stored based on the file names you enter but leaving old certificates with the same Common Name may cause some issues when trying to validate some things like PIV/CAC based authentications since this certificate store is our truststore as well. If you are using PIV/CAC authentication you should download the old certificates before deleting them to ensure you can roll back the changes quickly ,,,,just in case.
    Joe



  • 5.  RE: About Creation of CSR for your CA PAM certificate

    Posted Mar 24, 2020 10:15 AM
    Sorry one more, also the old CSR and the private keys ​I have to delete?

    ------------------------------
    FCA Company
    ------------------------------



  • 6.  RE: About Creation of CSR for your CA PAM certificate

    Broadcom Employee
    Posted Mar 24, 2020 11:32 AM
    On the same page you can download and delete .. two separate buttons.


  • 7.  RE: About Creation of CSR for your CA PAM certificate

    Broadcom Employee
    Posted Mar 24, 2020 05:26 PM

    You should remove all signed certs and CSR's after the new one is fully tested.  Just for cleanliness …But don't delete gkcert cert/key and ca-cert.pem. These are the default delivered certs. If your system had a problem and had to rollback to the default (possible revocation ) it would need to roll back to our internal cert. If deleted I am not sure if the GUI could load enough to recover.

     

     

    Joe