This post summarizes the steps to renew / update the certificate used by CyberArk PAM solutions.

Check your local computer’s installed certificate:

certmgr.msc – current user

Docs:

  • https://docs.cyberark.com/ispss-deployment/latest/en/Content/Privilege%20Cloud/PrivCloud-Certs4PSMs.htm

 

  1. On the PSM server, open the Microsoft Management Console (MMC).
  2. Click File Add/Remove Snap-in.
  3. On the Add or Remove Snap-in page, in the left pane, under Available snap-ins, select Certificates and then click Add.
  4. On the Certificate Snap-in page, select Computer account, and then click Finish.
  5. On the Add or Remove Snap-in page, click OK.
  6. Under Console Root > Certificates Personal, right-click Certificates , then select All Tasks > Request New Certificate.

  7. On the Certificate enrollment page, select the Active Directory Enrollment Policy.
  8. On the Certificate Enrollment page, select the Computer check box, expand Details, and click Properties.
  9. On the Certificate Properties page, select the Private Key tab, and do the following:

    • Select Make private key exportable.
    • Select Strong private key protection.
    • Set Key size to 4096.

    We highly recommend using a key size larger than 4096 bits. Only use a lower key size for compatibility issues.

Do not forget to add multiple DNS Alternative name into your subject tab. 

Please select Web Server this template. Computer template will ignore your Alternative name configuration.

That will allow you to use one cert for all PSM servers.

Unfortunately, this step won’t work if you are using Machine Template. You will have to use webserver template to sign this certificate. 


It is because Computer certificate template ignores user-supplied subject and builds the subject automatically based on AD information. You have to use different template where subject is constructed from a user-supplied values, for example, Web Server template.

If Webserver template is not available for Active Directory Enrollment Policy, you will have to manually create one then submit it to your CA to sign to get all SAN records in your cert. 

https://knowledge.digicert.com/solution/generate-a-csr-via-mmc-certificate-snap-in-using-windows

Here is an example of Machine template created cert, and it wont support multiple Subject Alternative Name:


  1. On the Extensions tab, under Extended Key Usage (application policies), make sure that only Server Authentication is listed in the Selected options list.
  2. On the Certificate Authority tab, select the CA to sign the certificate.


  1. Click OK to confirm the changes to the certificate properties, and then click Enroll.

Once done, the certifiate signing request generated and sent to your identified / seclected CA, it will be automatically signed by your CA then put it back into local certificate repository. This process is automatically happened. 

Submit a Certificate Request or Renewal Request

1. Log into your CyberArk PSM server with a proper user account (it might require domain admin privilege to see your Web Server Template)

2. From Certificate Enrollment, you should be able to see web server template is available. 

it is valid for two years.

3. If it is not available for somehow, we will have to change the permission and configuraiton of the template. 
Mangae the certificate template from CA server

Duplicate web server template and change settings:
Make the private key to be exported. You can change the valid periods for the certs. Default is two years. 

Change tempalte security to make sure authenticated users are able to enroll the certificate. 

Issue the certificate template to AD

4. Or you can request a new certificate with New Key without using renew wizard. Renew wizard will replace the cert you have. 

Make share key is exportable:

5. export the new cert with private key

6. You will need pfx format to import into your CyberArk PSM Server’s Remote desktop certificate section

7. Export successful. Cert has key inside.

8. Import this cert into Remote Desktop Services Deployment Certificates twice:

9. Import the export cert to PSM server’s local machine repository – personal. You might need to enter password and mark the key as exportable as well. 

PVWA Certificate

An SSL certificate must be installed on the Web server in order to have a secure channel between the PVWA machine and the Internet browser. If the default website is not protected by a certificate, an error will appear in the browser indicating that the website is not trusted.

As a part of the Prerequisites script, a self-signed certificate is created. We recommend that you replace this certificate with a trusted certificate after installation.

Personel-Certificate

RDP Certificate

https://docs.cyberark.com/pam-self-hosted/14.2/en/Content/PASIMP/Securing-RDP-Connections-with-SSL.htm

RDP connections to the PSM machine with SSL

Users can configure secure RDP connections to the PSM machine using an SSL connection.

RDP connections to target machines with SSL

Users can configure secure PSM-RDP connections to target machines by verifying the target machine before connecting to it and encrypting the session, using an SSL connection. To facilitate this type of connection, the target machine must have its own certificate. The PSM server machine must trust the CA that signed the certificate used by the target machine.

Before configuring secure RDP connections with SSL

Import the CA Certificate that signed the certificate used by the target machine into the Windows certificate store on the PSM server machine:
Certificates (Local Computer)/Trusted Root Certification Authorities
 

The PSM server must be able to access the CRL (Certificate Revocation List) from the CRL Distribution Points in the certificate.

By storing the certificate in this location, all users will be able to access the remote machine using an authenticated connection.
Remote Desktop – Certificate

Edit Remote Desktop Services Deployment:

This certificate is same as the one stored into PSM server’s personel folder. 
This certificate can be used for all PSM servers and RDP services since the subject alternative name covers all PSM servers and local balancer. 

CA and Intermediate Cert

Both CA and Intermediate Certs will need to send to CyberArk to renew. Those are handled by backend system of CyberArk Privilege Cloud.

 Trusted Root Certification Authorities – Certifiates

Intermediate Certificate

By netsec

Leave a Reply