Replace CyberArk Vault Server Self Signed Certificate with CA Signed Certificate - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, July 14, 2020

Replace CyberArk Vault Server Self Signed Certificate with CA Signed Certificate

By default, CyberArk Vault server will use self-signed certificate. There is an option to deploy CA signed certificate to be used to create a secure channel to a client. In this way, users can authenticate to the thrid party securely.

If you saw this message on your vault server console, you are using self-signed certificate:

"ITATP044W Security warning - Vault certificate is self-signed, It's recommended to use a CA signed certificate with the Vault's configuration"

Note: If you have DR vault, you will have to repeat this following process to DR server as well.

Generate a Cert Signing Request for the Vault

This procedure creates a private key on the Vault server and a Certificate Signing Request (CSR) to be signed by your organization's SSL.

Install your Vault Server Organization SSL Cert

This procedure installs your signed organizational SSL certificate on the Vault application.



    C:\Program Files (x86)\PrivateArk\Server>CACert.exe /?
    Usage: CACert <command> [command parameters]
           If no command parameter is specified, you will be prompted for input.
    CACert commands:
    request         - Prepares certificate signing request (CSR) file
    install         - Installs certificate to be used by the vault
    uninstall       - Uninstalls the current vault certificate
    import          - Imports and installs a certificate from a ".pfx" file
    show            - Shows current vault certificate information
    renew           - Renews the current vault certificate
    setca           - Handles CA certificates store
    Option preceeded with '*' is mandatory
    "request" command options:
    * /ReqOutFile      - Name of the request output file
      /ReqOutPrvFile   - Private key output file (default is server private key)
      /KeyBitLen       - Bit length of output private key (default is 2048)
      /Country         - Country Name (2 letters code)
      /State           - State or Province Name (full name)
      /Locality        - Locality Name (eg, city)
      /Org             - Organization Name (eg, company)
      /OrgUnit         - Organizational Unit Name (eg, section)
    * /CommonName      - Common Name (eg, DNS name of the vault)
      /SubjAlt         - Subject alternative names (eg, ", IP:1")
    "install" command options:
    * /CertFileName    - Full path of the certificate file to install
    "uninstall" command options:
      /Quiet           - Uninstalls the vault certificate without user confirmation
    "import" command options:
    * /InFile          - Full path of the file that contains the key and certificate
     to import (.pfx)
      /Password        - Password of the .pfx file
    "show" command options:
      /OutFormat       - Output format: TEXT, PEM OR DER (default is TEXT)
    "renew" command options:
    * /RenOutFile      - Certificate renewal output file name
    "setca" command options:
      /CertStore       - Certificate store to work with. If parameter is ommited, th
    e vault trusted client CA's store is selected
      /List            - Lists subjects of certificates in a store
      /Add             - Name of certificate file to add to the store
      /Remove          - Name of certificate file to remove from the store
    C:\Program Files (x86)\PrivateArk\Server>

    YouTube Video:

    No comments:

    Post a Comment