How to create and apply a certificate for all members of a PAM cluster

Document ID : KB000117308
Last Modified Date : 08/02/2019
Show Technical Document Details
Introduction:
If you want to use one certificate for all members of a PAM cluster it must be created and applied properly.  This document explains how to perform this task.
Instructions:
In order to use one certificate for all members of a PAM cluster the certificate must be generated properly.  You have two options:
1.  Generate the CSR on PAM and send it to your Certificate Authority.
2.  Generate the request for the certificate outside of PAM

In the first case you will have to populate fields of the CSR, including the addresses and FQDNs of all the nodes in the cluster, as well as the VIP and VIP domain names for all cluster sites, in the Alternate Subject Names field. If one is used for the Common Name of the certificate, you still need to include it in the Alternate Subject Names list In the second case you can do the same thing.  It may also be possible to generate a wild card certificate.

Whichever option is used, the certificate will have to be loaded on all nodes.  You will have to load the Root Certificate, type "CA Bundles", and Intermediate Certificates first.  Before you can load intermediate or server certificates, you will have to load any CRLs needed by each certificate.  You can set the CRL Options to automatically load CRLs or to use OCSP instead.  You'll determine this by looking at the certificates to be loaded and checking the CRL Distribution points.  Either manually retrieve the CRLs using the URLs in the certificate or set the CRL options to automatically download the CRL before you upload the certificate.  If no CRL Distribution is listed you will need to select OCSP before you upload the certificate.

If the CSR was generated on PAM, a key file will be created on that same system.  You will load the signed certificate after loading the Root certificate and any Intermediate certificates, and CRLs if necessary. The name of the certificate has to match the name of the key file, aside from the extension (.crt vs .key). You will have to download the key file from this system, which will require that you provide a password.  For the other nodes in the cluster you will load the Root and Intermediate certificates as well.  Instead of loading the signed certificate you received from the Certificate Authority, you will combine it with the key file you downloaded into a pem file, whose name should match that of the certificate and key file. Make sure to combine the files using a program that will not add any carriage returns.  For example, use Notepad++. You will then load this file as Certificate with Private Key. Provide the password that you used when downloading the key file.

With the certificates loaded you will go to the Config --> Security --> Certificates --> Set page.  Select the certificate you loaded and then click Verify and then Accept.  This will require that the system be rebooted, so make sure not to perform this task while clustered or when the system is being used.

For additional information using Certificates with PAM you can refer to online documentation at https://docops.ca.com/ca-privileged-access-manager/3-2-3/EN/implementing/configuring-your-server/configure-security-settings/creating-a-self-signed-certificate-or-a-certificate-signing-request