Create a PFX File for Use With Endpoint Privilege Management for Windows

The Endpoint Privilege Management for Windows settings console requires access to a certificate and private key to digitally sign XML configuration. They must be contained in a PFX or PKCS#12 format file, and the certificate must specifically be designated as suitable for signing Endpoint Privilege Management for Windows XML configuration. This is done via the Enhanced Key Usage extension when generating certificates.

This approach provides another means of ensuring configuration cannot be created and signed by rogue users with access to a digital signature certificate intended for a different purpose.

BeyondTrust has defined the following OID that should be added to the Enhanced Key Usage extension:

1.2.826.0.1.6538381.1.1.1 (Avecto Privilege Guard - Configuration - XML Configuration Signing)

The Endpoint Privilege Management for Windows settings console does not check for the existence of this key usage. The checks are performed when verifying digital signatures in the Endpoint Privilege Management for Windows service. A configuration that is signed with a key that does not contain the specified Enhanced Key Usage extension always fails signature verification checks.

The following sections provide details of two methods that can be used to generate a suitable PFX file, but it should be possible to use any Certification Authority to produce certificates with the appropriate Enhanced Key Usage extension.