The Balabit’s Privileged Session Management 5 F5 Administrator Guide
6.8. Managing the certificates used on PSM

6.8.4. Procedure – Generating TSA certificate with Windows Certificate Authority on Windows Server 2012

To generate a TSA certificate with Windows Certificate Authority (CA) that works with PSM, generate a CSR (certificate signing request) on a computer running OpenSSL and sign it with Windows CA, then import this certificate into PSM for timestamping.

Prerequisites: 

A valid configuration file for OpenSSL with the following extensions:

[ tsa_cert ]
extendedKeyUsage = critical,timeStamping

The TSA certificate is considered valid, in terms of compatibility with PSM, if the following conditions are met:

The following X509v3 extensions are supported:

Steps: 

1. Create CSR using the new configuration file: openssl req -set_serial 0 -config openssl-temp.cnf -reqexts tsa_cert -new -newkey rsa:2048 -keyout timestamp.key -out timestamp.csr -nodes

2. Complete the required fields according to your environment:

   Generating a 2048 bit RSA private key
   ........................+++
   ......................................+++
   writing new private key to 'timestamp.key'
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:HU
   State or Province Name (full name) []:Budapest
   Locality Name (eg, city) []:Budapest
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:BalaBit IT Security
   Organizational Unit Name (eg, section) []:Service Delivery
   Common Name (eg, YOUR name) []:scb35-1-i1.tohuvabohu.balabit
   Email Address []:[email protected]

3. Create and configure a time stamping web server template in the Certificate Authority, and use that to generate the TSA certificate.

   1. Start the Certification Authority Microsoft Management Console, and select the CA server.

   2. Right-click on Certificate Templates, and choose Manage.

      Figure 6.27. Managing certificate templates

      

      The Certificate Templates Console opens.

   3. Right-click on the Web Server template, and choose Duplicate Template.

      Figure 6.28. Duplicating a Template

      

      The Properties of New Template window is displayed.

   4. Make the following changes to the new template:

      • On the General tab, change the Template display name to TSA.

        Figure 6.29. Creating the new template

        

      • On the Request Handling tab, enable the Allow private key to be exported option.

      • On the Extensions tab, make the following changes:

        Edit Application Policies: 

        Select Application Policies and click Edit below the list of extensions.

        Figure 6.30. Editing Application Policies

        

        Remove Server Authentication: 

        Select Server Authentication and click Remove.

        Figure 6.31. Removing Server Authentication

        

        Add Time Stamping: 

        Click Add, select Time Stamping and click OK.

        Figure 6.32. Adding Time Stamping

        

        Make Time Stamping critical: 

        Select Time Stamping and enable the Make this extension critical option, then click OK.

        Figure 6.33. Making Time Stamping critical

        

        Time Stamping and Critical extension are listed in the Description of Application Policies.

        Figure 6.34. Description of Application Policies

        

        Edit Key Usage: 

        Select Key usage, click Edit. Enable the Signature is proof of origin (nonrepudiation) option.

        Select Allow key exchange without key encryption (key agreement).

        Click OK.

        Figure 6.35. Editing Key Usage

        

        The following are listed in the Description of Key Usage.

        Figure 6.36. Description of Key Usage

        

      • On the Security tab, select Authenticated Users, and set Enroll to Allow.

        Figure 6.37. Configuring permissions for the template

        

   5. Click Apply. Click OK. The new TSA template is now displayed in the list of templates.

      Figure 6.38. The new TSA template is now displayed in the list of templates

      

   6. Close this window and return to the Certification Authority main screen, and select the Certificate Templates folder.

      Figure 6.39. Certificate Templates

      

      Right-click under the list, and choose New > Certificate Template to Issue.

      Figure 6.40. Certificate Template to Issue

      

      The Enable Certificate Templates window is displayed.

      Figure 6.41. Enable the new template

      

   7. Select the TSA certificate template, and choose OK. Close this window.

   8. Open the command line, and issue the following command:

      certreq -submit -attrib "CertificateTemplate:TSA" <CSR>

      Replace <CSR> with the full path of the CSR created earlier (in the second step).

   9. The Certification Authority List is displayed. Select the CA.

   10. The Save Certificate window is displayed. Choose an output folder.

       The certificate is generated to the specified folder.

4. In PSM, navigate to Basic Settings > Management > SSL certificate.

5. Click next to TSA X.509 certificate, browse for the previously generated certificate, and click Upload.

6. Click next to TSA private key, browse for the previously generated key, and click Upload.

   Note
   If the root CA (the CA X.509 certificate field under Basic Settings > Management > SSL certificate) that is used for other certificates on PSM is different from the CA that was used to sign the TSA certificate, a warning is displayed. In this scenario, ignore this warning.