This post summarizes the steps to renew / update the certificate used by CyberArk PAM solutions.
Check your local computer’s installed certificate:
Docs:
- https://docs.cyberark.com/ispss-deployment/latest/en/Content/Privilege%20Cloud/PrivCloud-Certs4PSMs.htm
- On the PSM server, open the Microsoft Management Console (MMC).
- Click File > Add/Remove Snap-in.
- On the Add or Remove Snap-in page, in the left pane, under Available snap-ins, select Certificates and then click Add.
- On the Certificate Snap-in page, select Computer account, and then click Finish.
- On the Add or Remove Snap-in page, click OK.
-
Under Console Root > Certificates > Personal, right-click Certificates , then select All Tasks > Request New Certificate.
- On the Certificate enrollment page, select the Active Directory Enrollment Policy.
- On the Certificate Enrollment page, select the Computer check box, expand Details, and click Properties.
-
On the Certificate Properties page, select the Private Key tab, and do the following:
- Select Make private key exportable.
- Select Strong private key protection.
- Set Key size to 4096.
We highly recommend using a key size larger than 4096 bits. Only use a lower key size for compatibility issues.
Unfortunately, this step won’t work if you are using Machine Template. You will have to use webserver template to sign this certificate.
- On the Extensions tab, under Extended Key Usage (application policies), make sure that only Server Authentication is listed in the Selected options list.
- On the Certificate Authority tab, select the CA to sign the certificate.
-
Click OK to confirm the changes to the certificate properties, and then click Enroll.
Submit a Certificate Request or Renewal Request
1. Log into your CyberArk PSM server with a proper user account (it might require domain admin privilege to see your Web Server Template)
Change tempalte security to make sure authenticated users are able to enroll the certificate.
6. You will need pfx format to import into your CyberArk PSM Server’s Remote desktop certificate section
8. Import this cert into Remote Desktop Services Deployment Certificates twice:
PVWA Certificate
An SSL certificate must be installed on the Web server in order to have a secure channel between the PVWA machine and the Internet browser. If the default website is not protected by a certificate, an error will appear in the browser indicating that the website is not trusted.
As a part of the Prerequisites script, a self-signed certificate is created. We recommend that you replace this certificate with a trusted certificate after installation.
RDP Certificate
RDP connections to the PSM machine with SSL
Users can configure secure RDP connections to the PSM machine using an SSL connection.
-
On the PSM server, run gpedit.msc to set the security layer.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
- Open the Security setting, Set client connection encryption level.
-
In the Options area, from the Encryption Level drop-down list, select High Level.
-
Click OK to save your settings.
-
Open the Security setting, Require use of specific security layer for remote (RDP) connections.
-
In the Options area, from the Security Layer drop-down list select:
OS
Security Layer
Windows 2019
TLS
Windows 2016
SSL
Window 2012 R2
SSL (TLS 1.0).
-
Click OK to save your settings.
-
In the PVWA, update all the active connection components to enable RDP over SSL connections to the PSM machine. For example, for PSM SSH connections, update PSM-SSH.
- To support Live Session connections, update the target connection component.
-
Log onto the PVWA as an administrative user.
-
In the System Configurations page, click Options, then expand the Connection Components.
-
In each active connection component, add a new Component Parameter.
-
In the Component Parameter properties, add a new parameter with the following values:
- Name – The name of the component parameter.
-
For connections with ActiveX, specify AdvancedSettings4.AuthenticationLevel.
-
For connections with RDP files, specify authentication level:i.
-
Add both parameters to use both methods.
-
- Value – The value of this parameter name. Specify 1.
- Name – The name of the component parameter.
-
Click Apply to apply the new configurations and stay in the Options page.
-
-
Connections to the PSM require a certificate on the PSM machine. By default, Windows generates a self-signed certificate, but you can use a certificate that is supplied by your enterprise.
-
Expand the Privileged Session Management parameters and then expand Configured PSM Servers.
-
Expand Connection Details, and select Server; the Server Properties are displayed.
-
In the Address property, specify the certificate common name.
-
Click Apply to apply the new configurations, or,
-
Click OK to save the new configurations and return to the System Configuration page.
In the Privileged Session Management parameters, make sure that the PSM address specifies the exact common name of the certificate.
-
-
On the Client machines, make sure that the PSM machine certificate is signed by a trusted CA.
RDP connections to target machines with SSL
Users can configure secure PSM-RDP connections to target machines by verifying the target machine before connecting to it and encrypting the session, using an SSL connection. To facilitate this type of connection, the target machine must have its own certificate. The PSM server machine must trust the CA that signed the certificate used by the target machine.
Before configuring secure RDP connections with SSL
■ | Import the CA Certificate that signed the certificate used by the target machine into the Windows certificate store on the PSM server machine: |
■ | Certificates (Local Computer)/Trusted Root Certification Authorities |
The PSM server must be able to access the CRL (Certificate Revocation List) from the CRL Distribution Points in the certificate. |
■ | By storing the certificate in this location, all users will be able to access the remote machine using an authenticated connection. |
-
In the System Configuration page, in the Web Access section, click Options, then select Connection Components; the connection component parameters that define target addresses are displayed in the properties list.
-
Expand the PSM-RDP connection component, and then expand the Target Settings.
-
Right-click Client Specific, then in the pop-up menu select Add Parameter; a new parameter is added to the list of client specific parameters.
-
In the parameter properties, specify the following:
-
Name – The name of the client specific parameter. Specify AuthenticationLevel.
-
Value – The authentication level that will be used for this connection. Specify any of the following values:
Value Description 0 The PSM server is not required to authenticate the target machine before connecting to it. 1 The PSM server will authenticate the target machine before connecting to it. 2 The PSM server will authenticate the target machine before connecting to it. If the authentication fails, the user will be able to cancel the connection or to initiate a connection without authentication. -
-
Click Apply to apply the new Connection Component configurations,
or,
Click OK to save the new Connection Component configurations and return to the System Configuration page.
CA and Intermediate Cert
Both CA and Intermediate Certs will need to send to CyberArk to renew. Those are handled by backend system of CyberArk Privilege Cloud.
Trusted Root Certification Authorities – Certifiates
Intermediate Certificate