By default, CyberArk Vault server will use self-signed certificate. There is an option to deploy CA signed certificate to be used to create a secure channel to a client. In this way, users can authenticate to the thrid party securely.

If you saw this message on your vault server console, you are using self-signed certificate:

“ITATP044W Security warning – Vault certificate is self-signed, It’s recommended to use a CA signed certificate with the Vault’s configuration”

Note: If you have DR vault, you will have to repeat this following process to DR server as well.

Generate a Cert Signing Request for the Vault

This procedure creates a private key on the Vault server and a Certificate Signing Request (CSR) to be signed by your organization’s SSL.

Install your Vault Server Organization SSL Cert

This procedure installs your signed organizational SSL certificate on the Vault application.



C:\Program Files (x86)\PrivateArk\Server>CACert.exe /?
Usage: CACert <command> [command parameters]
       If no command parameter is specified, you will be prompted for input.
CACert commands:
request         - Prepares certificate signing request (CSR) file
install         - Installs certificate to be used by the vault
uninstall       - Uninstalls the current vault certificate
import          - Imports and installs a certificate from a ".pfx" file
show            - Shows current vault certificate information
renew           - Renews the current vault certificate
setca           - Handles CA certificates store

Option preceeded with '*' is mandatory
"request" command options:
* /ReqOutFile      - Name of the request output file
  /ReqOutPrvFile   - Private key output file (default is server private key)
  /KeyBitLen       - Bit length of output private key (default is 2048)
  /Country         - Country Name (2 letters code)
  /State           - State or Province Name (full name)
  /Locality        - Locality Name (eg, city)
  /Org             - Organization Name (eg, company)
  /OrgUnit         - Organizational Unit Name (eg, section)
* /CommonName      - Common Name (eg, DNS name of the vault)
  /SubjAlt         - Subject alternative names (eg, ", IP:1")
"install" command options:
* /CertFileName    - Full path of the certificate file to install
"uninstall" command options:
  /Quiet           - Uninstalls the vault certificate without user confirmation
"import" command options:
* /InFile          - Full path of the file that contains the key and certificate
 to import (.pfx)
  /Password        - Password of the .pfx file
"show" command options:
  /OutFormat       - Output format: TEXT, PEM OR DER (default is TEXT)
"renew" command options:
* /RenOutFile      - Certificate renewal output file name
"setca" command options:
  /CertStore       - Certificate store to work with. If parameter is ommited, th
e vault trusted client CA's store is selected
  /List            - Lists subjects of certificates in a store
  /Add             - Name of certificate file to add to the store
  /Remove          - Name of certificate file to remove from the store

C:\Program Files (x86)\PrivateArk\Server>

from Blogger

By Jonny

Leave a Reply