Create Delinea Connector Certificate from Internal MS CA

You can use the information in this section to guide you in creating a machine certificate for use with a connector for Privilege Control for Servers. The connector requires a signed certificate and root of trust in order to communicate with the platform. You install the certificate onto the computer where you have installed the Delinea Connector.

To create a computer certificate template with an exportable private key

  1. In your domain’s Certification Authority (CA), open the Certification Authority program and expand the CA.

  2. Right-click Certificate Templates and select Manage. This opens the Certificate Templates console.

  3. Scroll down and right click the Computer template and select Duplicate Template. This opens the new certificate template window.

    alt

  4. Navigate to the Compatibility Settings tab:

    • For the Certification Authority field, select Windows Server 2012 R2 or higher.

    • For the Certificate Recipient fields, select Windows 8.1 Windows Server 2012 R2 or higher.

      alt

  5. Navigate to the General tab. For Template display name, set it to 'Computer with Exportable Key' (no quotes):

    alt

  6. Navigate to the Request Handling tab and check the box to Allow the private key to be exported.

    alt

  7. Click the Subject Name tab and choose Supply in the Request:

    alt

  8. Navigate to the Security tab. Here, authenticated users are highlighted. In the lower pane, check the boxes for Enroll and AutoEnroll.

    alt

  9. Click OK to save this new Certificate Template and close the Certificate Templates Window.

  10. Back in the Certification Authority console, right-click Certificate Templates > New > Certificate Templates to Issue. This opens the Enable Certificate Templates window.

    alt

  11. Scroll down to Computer with Exportable Key and click OK. The modified template is now ready for use through group policy.

  12. Close the Certification Authority console.

To generate a computer certificate for the Delinea Connector:

  1. In the server where you’re going to create the certificate, open the mmc.exe program.

  2. In the MMC program, navigate to File > Add/Remove Snap-ins add the Certificates (Computer) snap-in and click Add

    alt

  3. For Certificates snap-in, choose Computer account and click Next:

    alt

  4. For the Select computer screen, keep all defaults, click Finish, then click OK.

  5. Navigate back to the console, and under Console Root, right-click Personal> All Tasks > Request New Certificate. Click Next on the Certificate Enrollment screen. On the Select Certificate Enrollment Policy screen, ensure you have Active Directory Enrollment Policy and click Next.

    alt

  6. For Request Certificate, select the box for Computer with Exportable Key and click the hyperlink directly beneath the selection, named More information is required to enroll for this certificate. Click here to configure settings.

    alt

  7. Press Add on both Subject name and Alternative name to move the set values to the right side and click OK:

    alt

    To obtain the Subject name and Alternative name, click the certificate details (subject name and subject alternative name) as shown below:

    certificate details

    certificate details

To export the certificate with the private key

You export the certificate and install it onto the computer where you have installed the connector.

  1. Under Personal > Certificates, right click the Delinea (or the name of the server) Certificate and select Export.

  2. On the welcome page click Next.

  3. On the Export Private Key screen, select Yes, export the private key and click Next.

  4. For Export File Format, keep default (Personal Information Exchange - PKCS # 12 (.PFX)) and click Next.

    Export File Format

  5. On the Security screen, select the box for Group or user names (recommended) and click Add.

    Security

  6. On the Select User, Computer, Service Account, or Group screen, enter domain admin in the field Enter the object name to select (examples) and click Check Names:
    Select User, Computer, Service Account

  7. Click OK and click Next.

  8. For File to Export, name the file and click Save.

  9. Click Next. Make a note of this location because you’ll need it during setup (example: c:\delinea\delinea.pfx).

  10. Lastly, for the Completing the Certificate Export Wizard screen, click Finish.
    You will see a screen pop up stating the export was successful.
    Click OK.