10-20-2017 09:09 AM
Welcome to the community @Rooster_2014! I've asked your account team to reach out to you directly. Please do not hesitate to send me a private message if you have any additional questions.
Community FAQ | Documentation | Support Portal | Centrify Trust | @CentrifySupport on Twitter
Giving Kudos is a great way to thank our community contributors!
Problem Solved? Click "Accepted as Solution" so this information can help other users.
These opinions are my own and do not necessarily reflect the views and opinions of my employer.
10-23-2017 07:18 AM
If you're a customer of the SaaS service, please read the information on the trust site (www.centrify.com/trust). In short, the minimum algorithm is SHA256 and we use the internal CA for each tenant as an additional confidentiality mechanism (encryption at rest and encryption in transit + publicly rooted SSL cert).
Note that privilege service can also be deployed on premises and it's important to keep in mind that:
a) During Privilege Service setup, an internal CA is created and various certificates are automatically put in place
b) Just like the SaaS version, long-expiration, courtesy certs are generated like an application signing certificate that is used for SAML assertions - note that you can use your own.
c) The Internal CA certificates can be leveraged by the connectors for services that rely on SPNEGO over HTTPS (for example, MFA).
d) A certificate provided by the customer (with the private key) is needed for encryption in transit using the service name (the DNS name) for the service address (e.g. safe.example.com). The algorithm/expiration depends on what the customer brings to the table.
e) If Smart Card authentiation is required, the service certificate (form step d) should also have the serviceaddress+zso DNS subject alternative name.
f) Integration with your own internal CA: You can integrate your own internal CA by providing the root CA cert and the complete trust chain (with a properly deployed PKI).
- Encryption at rest (e.g. tenant certificate) - this is to provide the assurance that only each independent tenant can read its own data. In the case of privilege service on premises, encryption to the database service.
- Encryption in transit - SSL/TLS (1.2+) - depending on the application we may be doing double-encrpytion (SSL+ encrypted payload).