Certificate Installer

The VPAM Certificate Installer enables you to install and manage root and ephemeral certificates. This component helps you keep your certificates up-to-date and is fully configurable, allowing your server to handle everything for you once you set it up. After setup, your server automatically installs, rotates, and refreshes the certificates on a set cadence. This "set-it-and-forget-it" feature saves time for System Administrators and users.

This feature is available in VPAM server version 21.1 or greater. If you have a previous server version, contact your Customer Service Representative for special configuration options available for earlier versions.

Requirements

To configure the certificate installer, you must have:

  • Your own certificate(s).

  • A method to distribute them, such as Active Directory.

  • Policies in place that enable certificates in your network.

  • Role of System Administrator or the relevant permissions in a custom role.

Configuration Options

This feature enable you to set the following different configuration options to manage self-signed certificates:

  • Upload and distribute certificates, and set up rotation policies with the Connection Manager and the Connection Manager Installer.

  • Pull and distribute certificates with Active Directory.

  • Set up a rotation policy in the server and install certificates manually.

IMPORTANT:
If you upload your certificates ensure that the certificate is able to sign other certificates. you upload the certificate and its key to your VPAM server, and you manually rotate the certificate. This page contains information on this topics.

Installation Guide

You can install the certificate installer automatically or manually on MacOS and Windows operating systems. Linux distributions only enable manual installation.

To automatically install the Certificate Installer in MacOS:

  1. Navigate to Help > Download Certificate Installer.

  2. Download the MacOS Certificate Installer.

  3. Run the CertInstaller.dmg file.
    The application closes when the installation finishes.

  4. Verify that the certificate is installed on your keychain.

To automatically install the Certificate Installer in Windows:

  1. Navigate to Help > Download Certificate Installer.

  2. Download the Windows Certificate Installer.

  3. Extract the files from the CertInstaller.zip file.

  4. Run the CertInstaller.exe file.
    The application closes when the installation finishes.

  5. Verify that the certificate is installed on your root trust store.

To manually install the Certificate Installer:

  1. Navigate to Help > Download Certificate Installer.

  2. Download the Imprivata Root CA.

  3. Open your terminal or console (depending on your OS.)

  4. Open the directory that contains the downloaded Imprivata Root CA.

  5. Run the following command, depending on your OS:

    • For MacOS:
      sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.cert.der

    • For Windows:
      certutil.exe -addstore root ca.cert.der

    • For Linux:
      Consult the Linux (Ububtu, Debian) section of Adding trusted root certificates to the server.

Firefox users are required to modify an enterprise policy to trust the certificate after its installation. To do so, follow the next steps:

  1. Enter about:config in the address bar and continue to the list of preferences.

  2. Set the preference security.enterprise_roots.enabled to true.

  3. Restart Firefox.

The Firefox certificate store only refreshes once Firefox has been restarted. Therefore connecting to your HTTPS service, in the same browser session as your initial certificate installation, might result in a Warning or Secure Connection Failed page displaying. Restart Firefox and reconnect to continue using the installed certificate as intended.

Update Your Certificates

If you cannot access your web services due to outdated certificates, follow the steps below to install and update your HTTP(S) certificate. You can download and install the certificates directly from the UI.

You will notice the certificate needs an update if you try to connect to a service and see a web page error with NET::ERR_CERT_INVALID. If this happens, launch the Certificate Installer in one of the two following ways:

  1. Open Help and click Download Certificate Installer.

  2. Select the installer for your operating system.

  3. Agree to the conditions.

  4. Click Open to allow this file to make changes on your device.

  5. Click Ok when prompted for administrator credentials.

  6. Enter your administrator credentials and click Update Settings to verify the changes made to your Certificate Trust Settings.

This option requires v21.1.7 or higher and must be enabled by our VPAM Support teams.

NOTE:

This method appears every 3 months, not each time you make a connection (via gatekeeper or application).

  1. Click Connect in the application you want to launch.

  2. The certificate (.dmg file) automatically downloads once you click Connect using the Connection Manager button.

  3. Fill in the Connection Form Information fields and click Submit.

  4. An authorization prompt appears—enter your credentials and click Update Settings.

  5. After clicking Update Settings, the certificate installs. If successful, you will receive a confirmation message.

You can now access your web server or HTTP(S) service without certificate issues.

NOTE:

Certificates are valid for 90 days by default. After this period, you must apply them again.

Certificate Installer in Previous Versions

If you try to connect to a web service and encounter the NET::ERR_CERT_AUTHORITY_INVALID error, you can still connect to your web services.

  1. Click Advanced at the bottom of the screen.

  2. Click Proceed to SecureLink (unsafe) when it appears.

NOTE:

Type "thisisunsafe" in the URL field to continue. No prompt appears to type this in—just type it on your keyboard, and the web page will advance you.

If you're on version 20.4, you can install your server's root certificate and use it, but the Connection Manager installer does not exist in that version.