Certificate issues
A certificate provides a secure HTTPS connection.If there are problems with the certificate, the browser cannot guarantee secure data exchange with the server, and the risk of data interception increases.
When it is necessary to replace a certificate:
Outdated certificate data — the certificate contains outdated data, for example, the domain name, SAN (Subject Alternative Names), or server IP address.
If the old certificate is retained, PAM will become unavailable.Compromise of the server's private key — the key becomes known and can be used by third parties.
Replace certificates even if they have not yet expired.Expiration — the most common reason for certificate replacement.
We recommend replacing certificates before they expire, otherwise PAM will become unavailable and the connection will be insecure for users.How to check when the certificate expires?
If the user or administrator console does not open, and the browser address bar displays the error Not secure, check the certificate expiration date. Click on the warning in the address bar of your browser:
- Microsoft Edge: go to Not secure → Your connection to this site isn't secure →
. - Google Chrome: go to Not secure → Certificate details.
- Microsoft Edge: go to Not secure → Your connection to this site isn't secure →
Root certificate of the CA
The CA root certificate must be replaced on all PAM servers, including the load balancer.
The certificate must be in PEM format with Base-64 encoding and use the SHA-256 signature algorithm. When replacing certificates, preserve the original file names.
If the new CA certificate is created with the same private keys, replacing certificates in the PAM installation is not required. When creating a certificate with a new key pair, it is necessary to replace all previously issued certificates throughout the entire PAM installation.
- Windows
- Linux
- Export the root certificate without the private key with the extension .cer or .crt.
- Right-click on the certificate file and select Install Certificate from the context menu.
- In the certificate import wizard, for the Store Location parameter, select Local Machine and click Next.
- Select Place all certificates in the following store and click Browse.
- In the window that opens, select Trusted Root Certification Authorities and click OK.
- Click Next.
- Click Finish in the confirmation dialog.
Export the root certificate without the private key with the extension .crt.
cautionThe root certificate for the load balancer must be named ca.crt.
Place the certificate at the path /etc/axidian/axidian-privilege/ca-certificates/
Open the terminal and navigate to the folder /etc/axidian/axidian-privilege/ with elevated privileges:
sudo -icd /etc/axidian/axidian-privilege/Stop all components:
bash scripts/stop-pam.shUpdate permissions for the replaced files:
cautionIt is necessary to run the command from the folder /etc/axidian/axidian-privilege/
bash scripts/set-permissions.shStart the stopped components:
bash scripts/run-pam.sh
Server certificate
Replace the certificates on the target server. New certificates must meet the requirements and preserve the original file names.
- Windows
- Linux
Export the private key certificate in .pfx format.
Place the server certificate in the computer's personal certificates:
- Right-click on the certificate file and select Install Certificate from the context menu.
- In the certificate import wizard, for the Store Location parameter, select Local Machine and click Next.
Enter the certificate password. - Select Place all certificates in the following store and click Browse.
- In the window that opens, select Personal and click OK.
- Click Finish in the confirmation dialog.
Launch IIS Manager.
In the left Connections panel expand <FQDN> → Sites → Default Web Site.
Select Default Web Site and in the right Actions panel, click Bindings.
In the window that opens, replace the certificate for all bindings with type HTTPS and port 443:
- Select the binding and click Edit.
- In the window that opens, click Select and choose the imported certificate.
After replacing the certificates, in the left Connections panel, click on the server FQDN.
In the right Actions panel, click Restart.
Open the configuration file C:\Program Files\Axidian\Axidian Privilege\Gateway\Pam.Gateway.Service\appsettings.json with administrator rights
In the
Kestrelsection, specify theSubjectvalue of the new certificate for theSubjectparameter.Configuration file structure
"Kestrel": {
"Endpoints": {
"HttpsInlineCertStore": {
"Url": "https://0.0.0.0:5443",
"Certificate": {
"Subject": "dc.axidian.local", // Specify the value from the new certificate
"Store": "My",
"Location": "LocalMachine",
"AllowInvalid": "False"
}
}
}
}If the server IP address is not specified in the SAN field of the new certificate, update the ProxyApp configuration:
- Open the configuration file C:\Program Files\Axidian\Axidian Privilege\Gateway\ProxyApp\appsettings.json
- In the
GatewayServicesection, replace the IP address with the server name in FQDN format.
Configuration file structure
"GatewayService": {
"Url": "https://dc.axidian.local:5443" // Specify the server name in FQDN format
}
Export the public key certificate in PEM (Base-64) format with .crt extension.
Export the private key certificate in PEM (Base-64) format with .pem or .pfx extension.
For a certificate with .pem extension, no preliminary preparation is required.
If the certificate has .pfx extension, extract the keys from it using the commands:Key extractionopenssl pkcs12 -in <public key certificate> -nocerts -out <private key certificate> -nodes -passin pass:<password>Certificate extractionopenssl pkcs12 -in <private key certificate> -clcerts -nokeys -out <public key certificate> -passin pass:<password><public key certificate>— name of the exported certificate with .crt extension;<private key certificate>— name of the exported certificate with .pem or .pfx extension.<password>— password set when exporting the certificate.
Place the certificates in the appropriate component folders:
- Management Server: /etc/axidian/axidian-privilege/certs
Replace the pam.crt and pam.key certificates. If the pam-selfsigned.key and pam-selfsigned.crt certificates are located in the folder, you do not need to change them. - RDP Proxy: /etc/axidian/axidian-privilege/keys/rdp-proxy
- PostgreSQL Proxy: /etc/axidian/axidian-privilege/keys/sql-proxy
- MSSQL Proxy: /etc/axidian/axidian-privilege/keys/tsql-proxy
- Web Proxy: /etc/axidian/axidian-privilege/keys/web-proxy
- Management Server: /etc/axidian/axidian-privilege/certs
Open the terminal and navigate to the folder /etc/axidian/axidian-privilege/ with elevated privileges:
sudo -icd /etc/axidian/axidian-privilege/Stop all components:
bash scripts/stop-pam.shUpdate permissions for the replaced files:
cautionIt is necessary to run the command from the folder /etc/axidian/axidian-privilege/
bash scripts/set-permissions.shStart the stopped components:
bash scripts/run-pam.sh
RDS access server certificate
RDS access server certificates are managed through Server Manager, as they are used by the following services:
- RD Connection Broker: SSO
- RD Connection Broker: Publishing
To replace the certificate:
- Export two private key certificates in .pfx format.
Certificates must meet the requirements. - Open Server Manager.
- Go to Remote Desktop Services.
- In the Deployment Overview window, click Tasks and select Edit Deployment Properties from the drop-down list.
- In the window that opens, select Certificates.
- In the Role Service window, select RD Connection Broker - Enable Single Sign On.
- Click Select existing certificate....
- Select Choose a different certificate and click Browse.
- In the window that opens, select the certificate to import and click Open.
- In the Password field, enter the certificate password.
- Enable the Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers checkbox.
- Click OK and Apply.
- Repeat steps 6-12 for the RD Connection Broker - Publishing role service.