Generate a Certificate Request for your PAM Server

The following article describes the process of generating a certificate request for your PAM server.

Before proceeding, be sure that you have access to the PAM host server (the server on which PAM was installed) and have enough permissions on this server to execute commands and update files.

  1. Login to PAM host server and open a command line. Be sure you have the required permissions to execute commands and / or run the prompt as an administrator.
  2. In the command prompt, navigate to the directory where PAM is installed. We will reference this as $PAM_HOME.
  3. Type the below command to generate the server’s private key. PAM’s private key will be located in a keystore and both the keystore and the private key will be generated in this step. Please be sure that both the keystore and the private key password are identical. 
    1. For Windows deployments:

      Copy
      bin\PamKeytool.cmd -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore xtamkeystore.jks
    2.  

    3. For Linux deployments:

      Copy
      bin/PamKeytool.sh -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore xtamkeystore.jks
    4. When this command runs, first, enter and then re-enter a keystore password.

    5. Next, this command will prompt for the X.509 attributes of the certificate. Populate them based on the rules of the organization and Microsoft CA that will be used to generate a certificate. Make sure that the first attribute First and last name (Common Name (CN)) will contain the domain of your website that you will access PAM with using HTTPS (i.e. pam.company.com).

    6. When prompted for the password for the private key alias, press Enter. This will set the private key password to the same password used for the keystore entered in the beginning.

    Note that SSL certificates can only be used on Web applications using the Common Name specified during CSR generation (in the First and last name (Common Name (CN)) attribute).

    For example, a certificate for the domain “domain.com” will receive a warning if accessing a site named “www.domain.com” or “secure.domain.com”, because “www.domain.com” and “secure.domain.com” are different from “domain.com”.

  4.  

  5. Next we will generate a CSR off the generated private key. Type the following command:

    1. For Windows deployments:

      Copy
      bin\PamKeytool.cmd -certreq -keyalg RSA -alias tomcat -file xtam.csr -keystore xtamkeystore.jks
    2.  

    3. For Linux deployments:

      Copy
      bin/PamKeytool.sh -certreq -keyalg RSA -alias tomcat -file xtam.csr -keystore xtamkeystore.jks
    4. As a result, you will have the file xtam.csr in the $PAM_HOME directory. Use this file to generate your SSL certificate in Microsoft CA.

  6. PAM expects the resulting certificate to be in the format PFX and be in the file with the extension .pfx. When you will generate it, use it as the PAM Server certificate. If, instead of a .pfx file the certificate authority will generate root (root.crt), intermediate (bundle.crt) and certificate (xtam.crt) CRT files then copy them to the $PAM_HOME directory and finally import them into the same keystore generated earlier using the following commands from the $PAM_HOME directory:

    Make sure to replace the below file names root.crt, bundle.crt and xtam.crt with the certificate file names generated by your CA.

    1. For Windows deployments:

      Copy
      bin\PamKeytool.cmd -import -alias root -keystore xtamkeystore.jks -trustcacerts -file root.crt
      Copy
      bin\PamKeytool.cmd -import -alias intermed -keystore xtamkeystore.jks -trustcacerts -file bundle.crt
      Copy
      bin\PamKeytool.cmd -import -alias tomcat -keystore xtamkeystore.jks -trustcacerts -file xtam.crt
    2.  

    3. For Linux deployments:

      Copy
      bin/PamKeytool.sh -import -alias root -keystore xtamkeystore.jks -trustcacerts -file root.crt
      Copy
      bin/PamKeytool.sh -import -alias intermed -keystore xtamkeystore.jks -trustcacerts -file bundle.crt
      Copy
      bin/PamKeytool.sh -import -alias tomcat -keystore xtamkeystore.jks -trustcacerts -file xtam.crt
    4.  

    5. After that use the file $PAM_HOME/xtamkeystore.jks (use the full path) as a certificate with the password you generated in step #3.