CyberArk: CA Certificate Request & install on Vault Server

Purpose: CA Certificate Request & install on Vault Server

The CACert utility is used to manage and prepare SSL certificates for the CyberArk Vault server. These certificates establish secure channels for Vault communications, allowing secure authentication of clients and third-party systems. The utility helps generate certificate signing requests (CSR), import and install certificates, view or verify certificate details, and manage trusted certificate authorities (CAs).

---

Phase 1: Pre-requisites and Planning

• Ensure Vault is already installed and configured.

• Certificate requirements must align with your organizational policies and CyberArk prerequisites.

• You must have access to a Certificate Authority (CA) to sign CSR files or an externally generated PFX certificate (if importing).

• Know the hostname and IP details for use in the Subject Alternative Name (SAN) field.

---

Phase 2: Create the Vault SSL Certificate

Option A: Generate a CSR and Install a Signed Certificate

Step 1: Generate Certificate Signing Request (CSR)

1. Navigate to the Vault server installation folder (default: C:\Program Files (x86)\PrivateArk\Server).

2. Open Command Prompt as Administrator.

3. Run the following command:

CACert.exe request

You will be prompted for:

• Request output file path and name

• Private key output file path and name

• Common Name (Vault hostname)

• Subject Alternative Names (e.g., DNS:vault.company.com, IP:10.0.0.1)

Step 2: Sign the CSR with Your Organization's CA

• Submit the generated CSR to your organizational CA.

• Ensure the returned certificate and its chain are in Base-64 format.

Step 3: Install the Signed Certificate

1. Transfer the signed certificate and certificate chain to the Vault server.

2. Back up the existing private key, as defined in the ServerPrivateKey field in DBParm.ini.

3. Replace the current private key with the new one if needed.

4. Run the following command to install the certificate:

CACert.exe install

Specify the full path to the new certificate file.

5. Restart the Vault service.

---

Option B: Import an Existing Certificate (.pfx)

1. Transfer the .pfx certificate file and its chain to the Vault server.

2. Back up the current private key (from DBParm.ini).

3. Navigate to the Vault installation folder.

4. Open Command Prompt as Administrator.

5. Run the following command:

CACert.exe import

Specify the full path of the .pfx file when prompted.

6. Restart the Vault service.

---

Phase 3: Certificate Verification

View Installed Certificate

1. Go to C:\Program Files (x86)\PrivateArk\Server\Conf.

2. Open DBParm.ini and locate the ServerCertificateFile entry.

3. Copy that file and rename it to .cer format (e.g., server.cer).

4. Double-click to view it or use certificate tools like Crypto Shell Extensions.

Verify TLS Certificate and Chain

1. Open Command Prompt as Administrator.

2. Navigate to the Vault installation folder.

3. Run:

CACert.exe verify

This verifies the installed Vault server certificate and its full trust chain.

---

Phase 4: CA Certificate Store Management (Optional)

You can manage trusted CA certificates for Vault clients using the following command:

CACert.exe setCA

Options include:

• /certstore to specify which certificate store to use

• /list to list current CA certs

• /add and /remove to manage cert files
  

Screenshots for your Reference:

1. How to request the CSR using CACert.exe 


2. How to Install the vault.cer using CACert.exe


Happy learning!!