Creating a Connector Machine Certificate from an Internal Microsoft CA

You can use the information in this section to guide you in creating a machine certificate for use with a connector in the Privileged Access Service. The connector requires a signed certificate and root of trust in order to communicate with the Delinea PAS.

To create a computer certificate template with an exportable private key

  1. In your domain’s Certification Authority (CA), open the Certification Authority program and expand the CA.

  2. Right-click Certificate Templates and select Manage.
    This opens the Certificate Templates console.

    alt

  3. Scroll down and right click the Computer template and select Duplicate Template.
    This opens the new certificate template window.

    alt

  4. Navigate to the Compatibility Settings tab:

    • For the Certification Authority field, select Windows Server 2012 R2 or higher.

    • For the Certificate Recipient fields, select Windows 8.1 Windows Server 2012 R2 or higher.

      alt

  5. Navigate to the General tab. For Template display name, set it to “Computer with Exportable Key” (no quotes):

    alt

  6. Navigate to the Request Handling tab and check the checkbox “Allow the private key to be exported.”

    alt

  7. Click the Subject Name tab and choose Supply in the Request:

    alt

  8. Navigate to the Security tab. Here, authenticated users is highlighted. In the lower pane, check the boxes for Enroll and AutoEnroll.

    alt

  9. Click OK. This will save this new Certificate Template and close the Certificate Templates Window.

  10. Back in the Certification Authority console, right-click Certificate Templates > New > Certificate Templates to Issue. This opens the Enable Certificate Templates window.

    alt

  11. Scroll down to Computer with Exportable Key and click OK. The modified template is now ready for use through group policy.

  12. Close the Certification Authority console.

To generate a computer certificate for the Delinea Connector

  1. In the server where you’re going to create the certificate, open the mmc.exe program.

  2. In the MMC program, navigate to File > Add/Remove Snap-ins add the Certificates (Computer) snap-in and click Add

    alt

  3. For Certificates snap-in, choose Computer account and click Next:

    alt

  4. For the Select computer screen, keep all default and click Finish and then click OK.

  5. Navigate back to the console, and under Console Root, right-click Personal> All Tasks > Request New Certificate. Click Next on the Certificate Enrollment screen. On the Select Certificate Enrollment Policy screen, ensure you have Active Directory Enrollment Policy and click Next.

    alt

  6. For Request Certificate, click the checkbox for Computer with Exportable Key and click the hyperlink directly beneath the selection entitled More information is required to enroll for this certificate. Click here to configure settings.

    alt

  7. Then press Add on both Subject name and Alternative name to move the set values to the right hand side and click OK:

    alt

    Note: To obtain the Subject name and Alternative name, click on the certificate details (subject name and subject alternative name) as seen below:

    certificate details

    certificate details

To export the certificate with the private key

  1. Under Personal > Certificates, right click the Delinea (or the name of the server) Certificate and select Export.

  2. On the welcome page click Next.

  3. On the Export Private Key screen, select Yes, export the private key and click Next.

  4. For Export File Format, keep default (Personal Information Exchange - PKCS # 12 (.PFX)) and click Next.

    Export File Format

  5. For the Security screen, click the checkbox Group or user names (recommended)

    Security

    and click Add. For the Select User, Computer, Service Account, or Group screen, in the field Enter the object name to select (examples) enter domain admin and click Check Names:

    Select User, Computer, Service Account

    Click OK and click Next.

  6. For File to Export, name the file and click Save.

  7. Click Next. Make a note of this location, you’ll need it during Delinea setup (example: c:\centrify\centrify.pfx).

  8. Lastly, for the Completing the Certificate Export Wizard screen, click Finish.
    You will see a screen pop up stating the export was successful.
    Click OK.

    You use the exported certificate and install it onto the computer where you have installed the cloud connector. For details, see Importing a Certificate.