By default, CyberArk Vault server will use self-signed certificate. There is an option to deploy CA signed certificate to be used to create a secure channel to a client. In this way, users can authenticate to the thrid party securely.
If you saw this message on your vault server console, you are using self-signed certificate:
“ITATP044W Security warning – Vault certificate is self-signed, It’s recommended to use a CA signed certificate with the Vault’s configuration”
Note: If you have DR vault, you will have to repeat this following process to DR server as well.
Generate a Cert Signing Request for the Vault
This procedure creates a private key on the Vault server and a Certificate Signing Request (CSR) to be signed by your organization’s SSL.
- Navigate to the Vault Server installation folder (by default: c:\Program Files (x86)\PrivateArk\Server).
- Open CMD as administrator.
-
Run the following command to create a new Certificate Signing Request (CSR):CACert.exe request
- Name of the request output file – The file name of the request for the Vault Server.
-
Private key output file – The file name of the private key for the Vault Server.Enter a path that is different from the default path.
- Common Name – The Vault Server common name.
-
Subject Alternative Names – List of Subject Alternative Names including the hostname and IP addresses. If the Vault is in a Cluster architecture, enter both the private and virtual IP address.You can enter multiple alternative DNS and/or IP values in the Subject Alternative Names field. The format is <field name>:<alternative_name>,<field name>:<alternative_name>. For example, dns:hostname,ip:10.10.10.10,ip:11.11.11.11
- Provide the CSR to your organization’s Certificate Authority (CA).
Install your Vault Server Organization SSL Cert
This procedure installs your signed organizational SSL certificate on the Vault application.
|
The signed certificate and the chain certificate must be in base-64 format.
|
- Transfer the Vault certificate to the Vault Server.
- If you use Session Management in Distributed Vaults, transfer the Certificate Chain to the Vault Server.
- Back up the current server private key. The path to the key can be found in the ServerPrivateKey parameter in DBParm.ini.
- Replace the existing server private key file with the new private key created above.
- Navigate to the Vault Server installation folder (by default, c:\Program Files (x86)\PrivateArk\Server).
- Open CMD as administrator.
- Run the following command:
CACert.exe install
Specify the path to the Vault Server certificate.
- Restart the Vault Application.
References
- CACert (PAS v11.5)
Appendix
C:\Program Files (x86)\PrivateArk\Server>CACert.exe /?
Usage: CACert <command> [command parameters]
If no command parameter is specified, you will be prompted for input.
CACert commands:
request - Prepares certificate signing request (CSR) file
install - Installs certificate to be used by the vault
uninstall - Uninstalls the current vault certificate
import - Imports and installs a certificate from a ".pfx" file
show - Shows current vault certificate information
renew - Renews the current vault certificate
setca - Handles CA certificates store
Option preceeded with '*' is mandatory
"request" command options:
* /ReqOutFile - Name of the request output file
/ReqOutPrvFile - Private key output file (default is server private key)
/KeyBitLen - Bit length of output private key (default is 2048)
/Country - Country Name (2 letters code)
/State - State or Province Name (full name)
/Locality - Locality Name (eg, city)
/Org - Organization Name (eg, company)
/OrgUnit - Organizational Unit Name (eg, section)
* /CommonName - Common Name (eg, DNS name of the vault)
/SubjAlt - Subject alternative names (eg, "DNS:www.cyber-ark.com, IP:1
92.168.41.1")
"install" command options:
* /CertFileName - Full path of the certificate file to install
"uninstall" command options:
/Quiet - Uninstalls the vault certificate without user confirmation
"import" command options:
* /InFile - Full path of the file that contains the key and certificate
to import (.pfx)
/Password - Password of the .pfx file
"show" command options:
/OutFormat - Output format: TEXT, PEM OR DER (default is TEXT)
"renew" command options:
* /RenOutFile - Certificate renewal output file name
"setca" command options:
/CertStore - Certificate store to work with. If parameter is ommited, th
e vault trusted client CA's store is selected
/List - Lists subjects of certificates in a store
/Add - Name of certificate file to add to the store
/Remove - Name of certificate file to remove from the store
C:\Program Files (x86)\PrivateArk\Server>
from Blogger http://blog.51sec.org/2020/07/replace-cyberark-vault-server-self.html