By default, CyberArk Vault server will use self-signed certificate. There is an option to deploy CA signed certificate to be used to create a secure channel to a client. In this way, users can authenticate to the thrid party securely.
If you saw this message on your vault server console, you are using self-signed certificate:
Note: If you have DR vault, you will have to repeat this following process to DR server as well.
Generate a Cert Signing Request for the Vault
This procedure creates a private key on the Vault server and a Certificate Signing Request (CSR) to be signed by your organization’s SSL.
Install your Vault Server Organization SSL Cert
- CACert (PAS v11.5)
C:\Program Files (x86)\PrivateArk\Server>CACert.exe /? Usage: CACert <command> [command parameters] If no command parameter is specified, you will be prompted for input. CACert commands: request - Prepares certificate signing request (CSR) file install - Installs certificate to be used by the vault uninstall - Uninstalls the current vault certificate import - Imports and installs a certificate from a ".pfx" file show - Shows current vault certificate information renew - Renews the current vault certificate setca - Handles CA certificates store Option preceeded with '*' is mandatory "request" command options: * /ReqOutFile - Name of the request output file /ReqOutPrvFile - Private key output file (default is server private key) /KeyBitLen - Bit length of output private key (default is 2048) /Country - Country Name (2 letters code) /State - State or Province Name (full name) /Locality - Locality Name (eg, city) /Org - Organization Name (eg, company) /OrgUnit - Organizational Unit Name (eg, section) * /CommonName - Common Name (eg, DNS name of the vault) /SubjAlt - Subject alternative names (eg, "DNS:www.cyber-ark.com, IP:1 188.8.131.52") "install" command options: * /CertFileName - Full path of the certificate file to install "uninstall" command options: /Quiet - Uninstalls the vault certificate without user confirmation "import" command options: * /InFile - Full path of the file that contains the key and certificate to import (.pfx) /Password - Password of the .pfx file "show" command options: /OutFormat - Output format: TEXT, PEM OR DER (default is TEXT) "renew" command options: * /RenOutFile - Certificate renewal output file name "setca" command options: /CertStore - Certificate store to work with. If parameter is ommited, th e vault trusted client CA's store is selected /List - Lists subjects of certificates in a store /Add - Name of certificate file to add to the store /Remove - Name of certificate file to remove from the store C:\Program Files (x86)\PrivateArk\Server>