By default, CyberArk Vault server will use self-signed certificate. There is an option to deploy CA signed certificate to be used to create a secure channel to a client. In this way, users can authenticate to the thrid party securely.

If you saw this message on your vault server console, you are using self-signed certificate:

“ITATP044W Security warning – Vault certificate is self-signed, It’s recommended to use a CA signed certificate with the Vault’s configuration”

Note: If you have DR vault, you will have to repeat this following process to DR server as well.

Generate a Cert Signing Request for the Vault

This procedure creates a private key on the Vault server and a Certificate Signing Request (CSR) to be signed by your organization’s SSL.

Install your Vault Server Organization SSL Cert

This procedure installs your signed organizational SSL certificate on the Vault application.

References

Appendix


C:\Program Files (x86)\PrivateArk\Server>CACert.exe /?
Usage: CACert <command> [command parameters]
       If no command parameter is specified, you will be prompted for input.
CACert commands:
request         - Prepares certificate signing request (CSR) file
install         - Installs certificate to be used by the vault
uninstall       - Uninstalls the current vault certificate
import          - Imports and installs a certificate from a ".pfx" file
show            - Shows current vault certificate information
renew           - Renews the current vault certificate
setca           - Handles CA certificates store

Option preceeded with '*' is mandatory
"request" command options:
* /ReqOutFile      - Name of the request output file
  /ReqOutPrvFile   - Private key output file (default is server private key)
  /KeyBitLen       - Bit length of output private key (default is 2048)
  /Country         - Country Name (2 letters code)
  /State           - State or Province Name (full name)
  /Locality        - Locality Name (eg, city)
  /Org             - Organization Name (eg, company)
  /OrgUnit         - Organizational Unit Name (eg, section)
* /CommonName      - Common Name (eg, DNS name of the vault)
  /SubjAlt         - Subject alternative names (eg, "DNS:www.cyber-ark.com, IP:1
92.168.41.1")
"install" command options:
* /CertFileName    - Full path of the certificate file to install
"uninstall" command options:
  /Quiet           - Uninstalls the vault certificate without user confirmation
"import" command options:
* /InFile          - Full path of the file that contains the key and certificate
 to import (.pfx)
  /Password        - Password of the .pfx file
"show" command options:
  /OutFormat       - Output format: TEXT, PEM OR DER (default is TEXT)
"renew" command options:
* /RenOutFile      - Certificate renewal output file name
"setca" command options:
  /CertStore       - Certificate store to work with. If parameter is ommited, th
e vault trusted client CA's store is selected
  /List            - Lists subjects of certificates in a store
  /Add             - Name of certificate file to add to the store
  /Remove          - Name of certificate file to remove from the store

C:\Program Files (x86)\PrivateArk\Server>

from Blogger http://blog.51sec.org/2020/07/replace-cyberark-vault-server-self.html

By Jonny

Leave a Reply