Enabling Certificate Authentication by Smart Card and Tenant CAs

The setup_certauth.ps1 script is provided with the Delinea Privileged Access Service to enable certificate authentication when client certificates are issued by Delinea or by your own certificate authority.

After you execute setup_certauth.ps1, the Certificate Authorities feature located in the Admin Portal Customization > Settings > Authentication page is enabled. In the Certificate Authorities page, you can configure authentication by smart card and by certificates issued by your PKI infrastructure. If you do not execute setup_certauth.ps1, the Certificate Authorities feature located in the Admin Portal Customization > Settings > Authentication page remains disabled, and is not visible.

Before you can execute setup_certauth.ps1, you must ensure that the following prerequisites are met:

  • A CNAME record that points the DNS host to the Delinea PAS host has been created within your DNS infrastructure. After the CNAME record is created, it can take up to 15 minutes for the CNAME to resolve the IP addresses of the DNS host and the Delinea PAS host.
  • A certificate from a trusted certificate authority has been issued for the DNS host. When the setup_certauth.ps1 script runs, you will be prompted to specify the path to this certificate.

The setup_certauth.ps1 script validates these prerequisites during runtime. If either prerequisite is not met, setupcertauth.ps1 aborts.

To enable authentication by smart card and tenant CAs:

  1. On the computer where the Delinea PAS is running, open a PowerShell console window as Windows administrator.
  2. In the PowerShell console, change to the Delinea PAS scripts folder. The scripts folder is located in the installation folder that was specified during Delinea PAS installation. If the default installation location was selected, the scripts folder is in 'C:\Program Files\Centrify\Centrify Identity Service'.
  3. From the scripts folder, run the setup_certauth.ps1 script:'.\setup_certauth.ps1'
  4. When the script prompts you to verify that the prerequisites are satisfied, type Y and press Enter.
  5. The script validates prerequisites, and prompts you for the path to the DNS host certificate. Type the path to the certificate and press Enter.

When the script finishes, the Certificate Authorities feature is located in the Admin Portal Customization > Settings > Authentication page is enabled.