Certificates
Prepare certificates before installing Axidian Privilege. All certificates should have the same password.
All certificates except the CA certificate must be in .pfx format.
The CA certificate must be in .crt format.
Certificate requirements
- Certificates must be valid.
- Minimum RSA key length: 2048.
- Settings configured:
- Server Authentication is specified for the Enhanced Key Usage (EKU) extension.
- The setting allows you to use the certificate for server authentication.
- Digital Signature and Key Encryption are specified for the Key Usage extension. The setting defines cryptographic operations: it allows the key to create digital signatures and allows you to encrypt symmetric session keys.
- The certificate contains Common Name (CN) and Subject Alternative Names (SAN).
The fields contain the domain names of the host in the FQDN format.
CN and SAN completion scheme
When generating a certificate, the CN and SAN fields are filled in depending on the role and membership of the host in a fault-tolerant cluster (Keepalived), as well as the presence of a load balancer.
| Availability of a load balancer | The load balancer host in the Keepalived cluster | The host combines an access server | Configuration of the certificate |
|---|---|---|---|
| No | - | - | Subject field:CN — hostname SAN field: DNS — hostname |
| Yes | Yes | - | Subject field:CN — hostname SAN field: DNS — hostname DNS — FQDN PAM |
| Yes | No | Yes | Subject field:CN — hostname SAN field: DNS — hostname DNS — FQDN PAM |
| Yes | No | No | Subject field:CN — hostname SAN field: DNS — hostname |
List of certificates
- Installation without balancing
- Fault-tolerant installation with HAProxy
- Fault-tolerant installation with a third-party balancer
The following certificates are required:
- Certificate of the certification authority without a private key in PEM (Base64) format with the
.crtextension. - FQDN PAM certificate with private key in
.pfxformat. - Certificates for all RDP, RDS and PostgreSQL access servers with a private key in
.pfxformat. Except when the access server is installed on the same host as the management server.
The following certificates are required:
- Certificate of the certification authority without a private key in PEM (Base64) format with the
.crtextension. - FQDN PAM certificate with private key in
.pfxformat. - Certificates for all management servers with a private key in
.pfxformat. - Certificates for all RDP, RDS and PostgreSQL access servers with alternative names of all balancers and FQDN PAM with a private key in
.pfxformat. Except when the access server is installed on the same host as the management server.
If you plan to place the balancer and the management server on the same host, you will need a certificate with an alternative FQDN PAM name.
When using vIP, each balancer certificate requires a PAM FQDN alternative name.
If there are Windows access servers, their certificates must contain the PAM FQDN or be the same as for the PAM FQDN, otherwise the certificate check in the wizard will result in an error.
The following certificates are required:
- Certificate of the certification authority without a private key in PEM (Base64) format with the
.crtextension. - Certificates for all management servers with a private key in
.pfxformat. - Certificates for all RDP, RDS and PostgreSQL access servers with alternative names of all balancers and FQDN PAM with a private key in
.pfxformat. Except when the access server is installed on the same host as the management server. - Certificates for all balancers with a private key in
.pfxformat.
If you plan to place the balancer and management server on the same host, you will need a certificate with an alternative FQDN PAM name.
When using vIP, each balancer certificate requires a PAM FQDN alternative name.
It is possible to use a wildcard certificate. In this case, the certificate must be issued for the entire domain or have the addresses of all PAM hosts in alternative names.
For LDAPS to work correctly, place the CA certificate in AxidianPAM_3.3\axidian-pam\state\ca-certificates before running the wizard.