Certificate Installer

Starting with version 21.1+, you can now install and manage root and ephemeral certificates using Imprivata Customer Privileged Access Management. This feature helps you keep your certificates up-to-date and is fully configurable, allowing CPAM to handle everything for you once you set it up. After setup, CPAM will automatically install, rotate, and refresh the certificates on a set cadence. This "set-it-and-forget-it" feature saves time for both administrators and users.

If you are not using version 21.1+ but still want to use this feature, reach out to your CSM or Project Manager for special configuration options available for earlier versions.

In this case, note that you will need:

  1. Your own certificate(s) .

  2. A method to distribute them (such as through Active Directory).

NOTE:

You can still use your web services with an expired certificate—see the instructions at the bottom of this page for more details.

General Permissions: To configure this, you must have policies in place that enable certificates on your network.

CPAM Permissions: You need admin privileges in CPAM to update the certificates.

Configuration Options

Although we recommend letting CPAM manage certificates, several configuration options are available. If you have your own self-signed certificate(s), you can choose from the following options:

  • Upload your own key certificate and use the Universal Connection Manager (UCM) to distribute it.

  • Upload your own certificate and not use UCM; instead, use AD, or rely on the fact that all computers already have it installed.

  • For certificate rotation, set up auto rotation and use the UCM installer to install the certificate.

  • Set up auto rotation via CPAM and install the certificates manually.

If you upload your own certificates, follow these guidelines:

  • The certificate must be able to sign other certificates.

  • Upload both the certificate and key to the CPAM server.

  • Manually rotate the certificate.

Installation Guide

Download and install the Certificate Installer by following the steps for your operating system.

MacOS

  1. Download the MacOS Certificate Installer from Help > Download Certificate Installer in the CPAM UI.

  2. After the download has finished, run the CertInstaller.dmg file.

  3. The application will close as soon as it has finished. The certificate must now be installed on your keychain.

Windows

  1. Download the Windows Certificate Installer fromHelp > Download Certificate Installer in the CPAM UI.

  2. After the download has finished, extract the files from the CertInstaller.zip file.

  3. Run the CertInstaller.exe file.

  4. The application will close as soon as it has finished. The certificate must now be installed on your root trust store.

NOTE:

For Linux, a manual Certificate Installation is needed.

Linux

  1. Download the Imprivata Root CA from Help > Download Certificate Installer in the CPAM UI.

  2. Open a terminal window.

  3. Change directory to where the certificate was downloaded.

  4. Linux installation may vary depending on your distribution. Check the following guide to finish the installation.

MacOS

  1. Download the Imprivata Root CA from Help > Download Certificate Installer in the CPAM UI.

  2. Open a terminal windows.

  3. Change directory to where the certificate was downloaded.

  4. Run the next command sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.cert.der.

Windows

  1. Download the Imprivata Root CA from Help > Download Certificate Installer in the CPAM UI.

  2. Open a CMD window.

  3. Change directory to where the certificate was downloaded.

  4. Run the next command certutil.exe -addstore root ca.cert.der.

Firefox

Firefox users are required to modify an enterprise policy to trust the certificate after its installation. In order to do so, please follow the next steps

  1. Enter "about:config" in the address bar and continue to the list of preferences.

  2. Set the preference security.enterprise_roots.enabled to true.

  3. Restart Firefox.

The Firefox certificate store only refreshes once Firefox has been restarted. Therefore connecting to your HTTPS service, in the same browser session as your initial certificate installation, might result in a Warning or Secure Connection Failed page displaying. Restart Firefox and reconnect to continue using the installed certificate as intended.

Update Your Certificate (Step-by-Step):

If you cannot access your web services due to outdated certificates, follow the steps below to install and update your HTTP(S) certificate. You can download and install the certificates directly from the CPAM UI.

You will notice the certificate needs an update if you try to connect to a service and see a web page error with NET::ERR_CERT_INVALID. If this happens, launch the certificate installer in one of the two following ways:

  1. Open Help and click Download Certificate Installer.

  2. Select the installer for your operating system.

  3. Agree to the conditions.

  4. Click Open to allow this file to make changes on your device.

  5. Click Ok when prompted for administrator credentials.

  6. Enter your administrator credentials and click Update Settings to verify the changes made to your Certificate Trust Settings.

This option requires v21.1.7 or higher and must be enabled by our CPAM Support teams.

NOTE:

This method appears every 3 months, not each time you make a connection (via gatekeeper or application).

  1. Click Connect in the application you want to launch.

  2. The certificate (.dmg file) automatically downloads once you click Connect using the Universal Connection Manager button.

  3. Fill in the Connection Form Information fields and click Submit.

  4. An authorization prompt appears—enter your credentials and click Update Settings.

  5. After clicking Update Settings, the certificate installs. If successful, you will receive a confirmation message.

You can now access your web server or HTTP(S) service without certificate issues.

NOTE:

Certificates are valid for 90 days by default. After this period, you must apply them again.

If You Are Not on Version 21.1+

If you try to connect to a web service and encounter the NET::ERR_CERT_AUTHORITY_INVALID error, you can still connect to your web services.

  1. Click Advanced at the bottom of the screen.

  2. Click Proceed to SecureLink (unsafe) when it appears.

NOTE:

Type "thisisunsafe" in the URL field to continue. No prompt appears to type this in—just type it on your keyboard, and the web page will advance you.

If you're on version 20.4, you can install CPAM's root certificate and use it, but the UCM installer does not exist in that version.