Certificates

Please prepare your certificates before installing Axidian Privilege. All certificates should have the same password.

caution

All certificates except the CA certificate must be in .pfx format.

The CA certificate must be in .crt format.

Installation without balancing

The following certificates are required:

• Certificate of the certification authority without a private key in PEM (Base64) format with the .crt extension.
• FQDN PAM certificate with private key in .pfx format.
• Certificates for all RDP, RDS and PostgreSQL access servers with a private key in .pfx format. Except when the access server is installed on the same host as the management server.

Fault-tolerant installation with HAProxy

The following certificates are required:

• Certificate of the certification authority without a private key in PEM (Base64) format with the .crt extension.
• FQDN PAM certificate with private key in .pfx format.
• Certificates for all management servers with a private key in .pfx format.
• Certificates for all RDP, RDS and PostgreSQL access servers with alternative names of all balancers and FQDN PAM with a private key in .pfx format. Except when the access server is installed on the same host as the management server.

caution

If you plan to place the balancer and the management server on the same host, you will need a certificate with an alternative FQDN PAM name.

When using vIP, each balancer certificate requires a PAM FQDN alternative name.

If there are Windows access servers, their certificates must contain the PAM FQDN or be the same as for the PAM FQDN, otherwise the certificate check in the wizard will result in an error.

Fault-tolerant installation with a third-party balancer

The following certificates are required:

• Certificate of the certification authority without a private key in PEM (Base64) format with the .crt extension.
• Certificates for all management servers with a private key in .pfx format.
• Certificates for all RDP, RDS and PostgreSQL access servers with alternative names of all balancers and FQDN PAM with a private key in .pfx format. Except when the access server is installed on the same host as the management server.
• Certificates for all balancers with a private key in .pfx format.

caution

If you plan to place the balancer and management server on the same host, you will need a certificate with an alternative FQDN PAM name.

When using vIP, each balancer certificate requires a PAM FQDN alternative name.

info

It is possible to use a wildcard certificate. In this case, the certificate must be issued for the entire domain or have the addresses of all PAM hosts in alternative names.

For LDAPS to work correctly, place the root certificate in ..PAM_3.0\axidian-pam\state\ca-certificates before running the wizard.