PMC Certificates Generated During Installation

Several certificates are generated as part of the PMC installation.

The PMC deployment process generates the following certificates:

  • SSL (for evaluation deployments only)
  • PMC Configuration Encipherment
  • PMC Tenant Certificate Authority
  • PMC Tenant Service Identity
  • PMC Cluster Admin
  • PMC Root

This document details where to install these certificates for your PMC deployment.

For more information on the certificate chain, please see Certificate Chain in Privilege Management Console.

SSL

An SSL certificate is required to secure communication to PMC. PMC uses SSL to secure the communication for the PMC cluster. The deployment script can generate an SSL certificate to be used for evaluation deployments; however, for production deployments you must provide your own SSL certificate.

The use of an SSL certificate that contains a wildcard is not supported for production deployments. You must supply your own SSL certificate for a production deployment with the appropriate domain.

Generating an SSL certificate is only supported for evaluation deployments, as it is not rooted to a public certificate authority that is trusted by Windows or Mac.

PMC Configuration Encipherment

This certificate is used to encrypt and decrypt data for Service Fabric Cluster and PMC. It is required to manually encrypt strings for the web portal and Service Fabric cluster.

PMC Tenant Certificate Authority

This is the issuing certificate authority (CA) for the Tenant Service Identity certificate and the Tenant Endpoint Identity certificates, as well as the validator of them. Without it, the endpoints will not be able to get certificates to authenticate with the service. The private key strength is set to the recommended 4096-bit size.

PMC Tenant Service Identity

This certificate represents the identity of the PMC service. It is installed onto each role in the PMC service cluster. Internal communication between roles in the PMC cluster is secured using short-lived authentication tokens. This certificate is used to sign and validate these tokens.

PMC Cluster Admin

This certificate is used to secure the Microsoft Azure Service Fabric cluster. It is required to view the health of your Service Fabric dashboard.

PMC Root

As the root of the chain, this identity forms the trust anchor for subordinate elements. It is the issuer of the Tenant Certificate Authority. The private key strength is set to the recommended 4096-bit size.

PMC Cluster Admin

This certificate is used to secure the Microsoft Azure Service Fabric cluster. It is required to view the health of your Service Fabric dashboard.

PMC Root

As the root of the chain, this identity forms the trust anchor for subordinate elements. It is the issuer of the Tenant Certificate Authority. The private key strength is set to the recommended 4096-bit size.

Certificate Chain in Privilege Management Console

PMC certificate chain

PMC uses certificate-based security to ensure identity and communications security. The image depicts the relationship of the certificates used in the system. Customers are expected to use certificates generated by the deployment tool. This information is provided for transparency and to assist where certificates created outside the PMC deployment tool are desired.