Providing the correct certificate files is essential to getting your IdentityNow vanity URL running as quickly as possible. Please read the following sections carefully before proceeding.
WARNING: Errors related to certificates can cause significant delays.
Preferred method: SailPoint Can Provide You a Certificate Free of Charge to You through Amazon Certificate Authority
Prerequisite: You have the ability to either 1) receive and approve certificate verification e-mail from your domain's owner/administrator address that is in file with your registrar, or 2) insert special records in your DNS for certificate validation purposes.
If you meet the above prerequisite and wish to choose this option, simply notify the support engineer, we'll take over from there.
Bring Your Own Certificate - Best Practice: SailPoint Generates the Certificate Signing Request (CSR)
As a best practice, IdentityNow recommends allowing our team to generate the TLS Certificate Signing Request (CSR) for your IdentityNow vanity URL.
This ensures that all the required data is generated quickly and correctly and saved for all parties that need it.
NOTE: If this option cannot be accommodated by your corporate policies, see Alternate Option: Your Company Generates the Cert.
Complete the following steps:
1. Collect the following required information:
| Parameter |
Example |
Your Site's Information |
|
Country (C):
|
US |
|
|
State (ST):
|
TX |
|
|
City (L):
|
Austin |
|
|
Company (O):
|
Acme |
|
|
Department (OU):
|
IT |
|
|
*Production IDN vanity domain (CN):
|
login.acme.com |
|
|
*Sandbox IDN vanity domain (Optional):
|
login-sandbox.acme.com |
|
*IMPORTANT: All URLs must be unique. Append "sandbox" as needed is the simplest method to meet this requirement.
2. Send the completed table to IdentityNow support by including it in a support case.
3. Our team generates the certificate and key and CSR.
4. We send you the CSR so that you can sign it.
5. You sign the CSR and return the certificate to us.
Bring Your Own Certificate - Alternate Options: Your Company Generates the Certificate
The alternate process is provided for customers whose corporate policies prevent you from allowing us to generate the certificate and key.
IMPORTANT! Requirements Specific to Generating Certificates
Sending the correct cert files is essential to getting your IdentityNow site running as expected. Please read the following carefully before proceeding.
CAUTION: We prefer to have minimal data in the form of TLS certificates isolated only to the environment we will be hosting for you. Therefore, please do not provide us your root or wildcard certificates, as this is generally bad practice to share these externally. There are various “man in the middle” type of attacks that could maliciously forge your websites or intercept and decrypt traffic if a bad actor were able to access these.
Prerequisites include:
- A publicly trusted Certifying Authority who provides TLS certificates, along with their intermediate certificates
- Certificate must have a 2048-bit key size
- For creating a PFX file from windows server:
- For PEM format, we need two files for each domain
- Certificate file which contains the lines: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
- Private key file which contains the lines: -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----
NOTE: If you are not sure how to locate your private key, please click here for information about how they are generated. This might help you determine the person or department who would have ready access to it.
Complete the following steps:
1. Generate the certificate and key. See IMPORTANT! Requirements Specific to Generating Certificates for details.
2. Send it to IdentityNow support by including it in a support case.
Frequently Asked Questions
Refer to the following frequently asked questions for more information about certs:
Why can't I give you a wildcard cert?
Can I use a self-signed cert?
How do I update my cert?
- Why can't I give you a wildcard cert?
Please do not provide us your root or wildcard certificates, as it is generally a bad practice to share these externally. There are various “man in the middle” type of attacks that could maliciously forge your websites or intercept and decrypt traffic if a bad actor were able to access these.
- Can I use a self-signed cert?
No, SSL/TLS certs must use a publicly trusted CA as the signing certificate to prevent untrusted error messages. Examples include Verisign and Thawtez among others.
Please open a support ticket for assistance.
