How to Manage Tenant Signing Certificates
This scenario is intended to guide system administrators on how to add and
manage signing certificates that are used to establish a secure connection
between the Privileged Access Service and web applications. The Settings >
Authentication > Signing Certificates page lists all of the certificates that
have been uploaded to the Delinea tenant. In addition to uploading new
certificates, you can also manage the existing set of certificates.
This scenario includes information on the following topics:
Adding a Signing Certificate
Before you deploy applications from the Delinea App Catalog, you can upload
signing certificates to the Delinea tenant. The signing certificates can then
be applied on a per-application basis when adding and configuring applications
from the App Catalog.
The Default Tenant Application Certificate displayed in the
Signing Certificate page is set as the default. Most applications can be configured using the default tenant signing certificate. For more information on certificates and deploying applications, see Applications.
To add a new signing certificate:
-
In the Admin Portal, click Settings > Authentication > Signing
Certificates to display the Signing Certificates page. -
Click Add.
-
Type a name for the certificate and, if the file requires it, the password
for the file. -
Click Browse to upload an archive certificate file.
-
Make sure the certificate file is located on your local storage so you can
select to upload it to the Delinea tenant.
-
Click Save.
Viewing Signing Certificate Information
Once the certificate file is uploaded it is displayed in the Signing Certificate
page. The following information is displayed:
|
Field |
Description |
|---|---|
|
Name |
The name given to the certificate file when it is was added to the Delinea tenant. |
|
Default |
A check mark indicates that the certificate is set as the default. |
|
Subject |
The organization name that issued the certificate. |
|
Thumbprint |
A unique string that identifies the certificate. |
|
Algorithm |
The cryptographic algorithm used in the certificate (such as SHA256RSA). |
|
Issued By |
The name of the Certificate Authority that issued the certificate. |
|
Expires |
The date when the certificate is no longer valid. |
|
Uploaded |
Yes indicates that the certificate was uploaded by the Delinea tenant. Blank indicates that the certificate is the default tenant signing certificate. |
Deleting a Signing Certificate
You can remove a signing certificate from the Delinea tenant only if the
certificate is not being used by an application, is uploaded by the tenant, and is not currently the default signing certificate (Default Tenant Application Certificate). If you try to remove a certificate that is in use, an error message is displayed and you are prevented from removing the certificate.
To remove a signing certificate from the Delinea tenant:
-
In the Admin Portal, click Settings > Authentication > Signing
Certificates to display the Signing Certificates page. -
Select the certificate that you want to delete from the list.
-
Click the Actions menu, then click Delete.
-
Click Yes to confirm that you want to proceed with deleting the
certificate.
Renaming a Signing Certificate
If you need to change the name of a certificate you already uploaded, you can change it from the Signing Certificate page.
The Default Tenant Application Certificate cannot be renamed.
To rename a signing certificate:
-
In the Admin Portal, click Settings > Authentication > Signing
Certificates to display the Signing Certificates page. -
Select the certificate that you want to rename.
-
Click the Actions menu, then click Rename.
-
Type the new name and then click Save.
Downloading a Signing Certificate
Any signing certificates uploaded to the Delinea tenant can be downloaded to your local computer or a destination you specify and used to configure applications from the App Catalog.
To download a signing certificate:
-
In the Admin Portal, click Settings > Authentication > Signing
Certificates to display the Signing Certificates page. -
Select the certificate that you want to download.
-
Click the Actions menu, then click Download.
Setting a Signing Certificate as the Default
The first time you log in to the Admin Portal the Default Tenant Signing
Certificate is available and is set as the default signing certificate. If you
upload additional signing certificates, you can change the signing certificate
that you want to act as the default. The new signing certificate that you set as
the default is then automatically used when you deploy applications unless you
change it during the application configuration process.
To set a new default signing certificate:
-
In the Admin Portal, click Settings > Authentication > Signing
Certificates to display the Signing Certificates page. -
Select the certificate that you want to set as the default.
-
Click the Actions menu, then click Set as Default.
Updating a Deprecated Signing Certificate
Some applications have deprecated support for the SHA-1 signing certificate. If an application was deployed with a SHA-1 certificate that is now deprecated, and
user authentication to the application fails, you need to update the security
certificate. You can download the default SHA-2 certificate (Default Tenant
Application Certificate) available from the Admin Portal or you can upload
your own SHA-2 certificate and reapply it.
To update an expired signing certificate:
-
Download the default signing certificate from Settings > Authentication
> Platform > Signing Certificates to your local computer. See
Downloading a Signing Certificate for more information.
-
Alternatively, you can upload your own SHA-2 certificate from Settings >
Authentication > Signing Certificates and then click Add. See Adding
a Signing Certificate for more information.
-
Apply the signing certificate for the application to Application Settings in
the Admin Portal and to the application itself.
-
Check the application documentation for details on how to apply the
certificate to the application.
Be sure to use a matching certificate both in the application
settings in the Admin Portal and in the application itself.
