Replace CyberArk Vault Server Self Signed Certificate with CA Signed Certificate

By default, CyberArk Vault server will use self-signed certificate. There is an option to deploy CA signed certificate to be used to create a secure channel to a client. In this way, users can authenticate to the thrid party securely.

If you saw this message on your vault server console, you are using self-signed certificate:

"ITATP044W Security warning - Vault certificate is self-signed, It's recommended to use a CA signed certificate with the Vault's configuration"

Note: If you have DR vault, you will have to repeat this following process to DR server as well.

Generate a Cert Signing Request for the Vault

This procedure creates a private key on the Vault server and a Certificate Signing Request (CSR) to be signed by your organization's SSL.

1. Navigate to the Vault Server installation folder (by default: c:\Program Files (x86)\PrivateArk\Server).
2. Open CMD as administrator.
3. Run the following command to create a new Certificate Signing Request (CSR):

   CACert.exe request

   • Name of the request output file - The file name of the request for the Vault Server.
   • Private key output file - The file name of the private key for the Vault Server.

     Enter a path that is different from the default path.

   • Common Name - The Vault Server common name.
   • Subject Alternative Names - List of Subject Alternative Names including the hostname and IP addresses. If the Vault is in a Cluster architecture, enter both the private and virtual IP address.

     You can enter multiple alternative DNS and/or IP values in the Subject Alternative Names field. The format is <field name>:<alternative_name>,<field name>:<alternative_name>. For example, dns:hostname,ip:10.10.10.10,ip:11.11.11.11

     
4. Provide the CSR to your organization's Certificate Authority (CA).

Install your Vault Server Organization SSL Cert

This procedure installs your signed organizational SSL certificate on the Vault application.

The signed certificate and the chain certificate must be in base-64 format.

1. Transfer the Vault certificate to the Vault Server.
2. If you use Session Management in Distributed Vaults, transfer the Certificate Chain to the Vault Server.
3. Back up the current server private key. The path to the key can be found in the ServerPrivateKey parameter in DBParm.ini.
4. Replace the existing server private key file with the new private key created above.
5. Navigate to the Vault Server installation folder (by default, c:\Program Files (x86)\PrivateArk\Server).
6. Open CMD as administrator.
7. Run the following command:

   CACert.exe install

   Specify the path to the Vault Server certificate.
   
8. Restart the Vault Application.

References

• CACert  (PAS v11.5)

Appendix

C:\Program Files (x86)\PrivateArk\Server>CACert.exe /?
Usage: CACert <command> [command parameters]
       If no command parameter is specified, you will be prompted for input.
CACert commands:
request         - Prepares certificate signing request (CSR) file
install         - Installs certificate to be used by the vault
uninstall       - Uninstalls the current vault certificate
import          - Imports and installs a certificate from a ".pfx" file
show            - Shows current vault certificate information
renew           - Renews the current vault certificate
setca           - Handles CA certificates store

Option preceeded with '*' is mandatory
"request" command options:
* /ReqOutFile      - Name of the request output file
  /ReqOutPrvFile   - Private key output file (default is server private key)
  /KeyBitLen       - Bit length of output private key (default is 2048)
  /Country         - Country Name (2 letters code)
  /State           - State or Province Name (full name)
  /Locality        - Locality Name (eg, city)
  /Org             - Organization Name (eg, company)
  /OrgUnit         - Organizational Unit Name (eg, section)
* /CommonName      - Common Name (eg, DNS name of the vault)
  /SubjAlt         - Subject alternative names (eg, "DNS:www.cyber-ark.com, IP:1
92.168.41.1")
"install" command options:
* /CertFileName    - Full path of the certificate file to install
"uninstall" command options:
  /Quiet           - Uninstalls the vault certificate without user confirmation
"import" command options:
* /InFile          - Full path of the file that contains the key and certificate
 to import (.pfx)
  /Password        - Password of the .pfx file
"show" command options:
  /OutFormat       - Output format: TEXT, PEM OR DER (default is TEXT)
"renew" command options:
* /RenOutFile      - Certificate renewal output file name
"setca" command options:
  /CertStore       - Certificate store to work with. If parameter is ommited, th
e vault trusted client CA's store is selected
  /List            - Lists subjects of certificates in a store
  /Add             - Name of certificate file to add to the store
  /Remove          - Name of certificate file to remove from the store

C:\Program Files (x86)\PrivateArk\Server>

YouTube Video: