Create and Edit Signed Settings

To digitally sign Privilege Management for Windows settings, a PFX file containing an appropriate certificate and private key must be supplied, alongside the corresponding password for the PFX file.

For settings to be correctly signed, the certificate must have an OID that is specific to BeyondTrust Privilege Management for Windows. The chain of trust and revocation status is also checked by Privilege Management for Windows. If the settings have been tampered with since signing, the settings also fail the signing check.

To digitally sign the Privilege Management for Windows settings:

  1. Select the BeyondTrust Settings node.
  2. Right-click and select Digitally Sign.
  3. The Digitally sign your BeyondTrust Settings wizard appears.
  4. Check the Sign the settings with the following private key option.
  5. Click the Select key button and browse for the PFX file that contains the digital certificate.
  6. Enter the password for the PFX file.
  7. Click Finish.

To remove the digital signature from the Privilege Management for Windows settings:

  1. Select the Privilege Management Settings node.
  2. Right-click and click Digitally Sign.
  3. The Digitally sign your Privilege Management Settings wizard appears.
  4. Select the Do not sign the settings option.
  5. Click Finish.

Once the Privilege Management for Windows settings are digitally signed, the Privilege Management Policy Editor prompts the administrator for the corresponding PFX password when the settings are opened.

Signed Privilege Management Settings dialog box

To modify the signed settings, you must enter a valid password for the PFX. Alternatively, you can select to remove the certificate from the settings, or open the settings in Read Only mode. Canceling this prompt automatically opens the settings in Read Only mode.

 

For more information about creating certificates suitable for use with Privilege Management for Windows, please see Create a PFX File for Use With Privilege Management for Windows .