How to deploy a certificate issued by customer's internal Certification Authority into CA PAM?

Document ID:  TEC1761748
Last Modified Date:  06/14/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details


  • CA Privileged Access Management


  • CA Privileged Access Management:Release:2.8
  • CA Privileged Access Management:Release:2.8.1
  • CA Privileged Access Management:Release:2.8.2



Customer has their own Certification Authority to issue certificates to their internal servers. Since this is an internal rootCA, it is not known by any standard browser nor the JVM, as well as it is unknown to CA PAM. In this article we will describe the steps you need to follow to import the certificate into CA PAM properly.


The steps on this article intend to work around the error "could not identify local issuer".


How to deploy a certificate issued by customer's internal Certification Authority into CA PAM?


1. Export the root CA from the Certificate Authority and any intermediate CA that may be listed on the appliance certificate chain; 

2. Open the CA PAM client and navigate to Config / Security; 

3. Under Certificates, select CA Bundles and import the root CA and intermediate CA; 

4. Configure the CRL to Automatic, pointing to the rootCA CRL URL; 

5. Import the appliance certificate. Before importing, ensure that the certificate file name end in .crt and not .cer (or something else). The certificate, after being imported to CA PAM, must be listed as <filename>.crt - also, it is important to remember to set the certificate file with the same name as the CSR was set (for example, if you used the default value, the CSR was created as default.pem - so the certificate file must be imported as default.crt)

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255


Not what you were looking for?

Search Again >

Product Information

Support by Product >


Join a Community >