PKI authentication (Personal Certificate)

This topic describes Public Key Infrastructure (PKI) authentication, and how to configure PKI authentication for the PVWA.


PKI enables the use of certificates in order for servers and users to identify each other and establish a secure connection. Amongst other items, certificates contain encryption values, or keys, that are used for encrypting and ensuring the integrity of messages sent between the two parties.

The CyberArk Vault fits into your existing PKI by letting users utilize their personal certificate to authenticate to the Vault. In addition, users can optionally be required to provide password authentication when they log on to the Vault through the PVWA as another authentication method.

When a user logs on to the Vault using the PKI authentication method, the user and the server establish a SSL (Secure Socket Layer) connection. During the SSL handshake, the parties exchange certificates and check their validity. They also check that the other party’s certificate was issued by a trusted CA (Certification Authority).

Configure PKI authentication for the PVWA

During installation, the PVWA is automatically configured to support PKI authentication for users who select this authentication method.

Make sure that all users who are required to authenticate using PKI authentication exist in the Vault, whether they have been provisioned using LDAP integration or were created manually as CyberArk users.


SSL Certificate – A web server certificate that has been certified by a Certificate Authority (CA).

Enable PKI authentication in the version 10 PVWA interface

The PVWA's version 10 interface can be displayed from version 9.8 and higher, for specific functionality. The following procedure describes how to configure PKI authentication in the version 10 PVWA interface.


This can only be configured in version 9.8 and higher.

Enable extended PKI/PKIPN validation

You can enable extended PKI/PKIPN certificate validation in the PVWA Configuration options using the ValidatePKICertificate parameter.

When the ValidatePKICertificate parameter is set to Yes, extended validation is enabled.

  1. Go to Administration > Configuration Options.

  2. Under Configuration, select General.

  3. Locate the ValidatePKICertificate parameter and set the value to Yes.

The certificate will pass validation when the following conditions are met:

  • The client and CA certificates don't use elliptic curves

  • The client certificate contains Client Authority in Extended Key Usage

  • The CA certificates have the CA flag set to True in the basic constraints

  • The client certificate is not self-signed

  • SHA1 and MD5 are not used in the signature algorithm

Test PKI authentication in the PVWA


Make sure that your personal certificate is accessible. If your certificate is stored on an external hardware device, such as a Smart Card or a USB token, attach it to the computer before you try to log on

In thePVWA, in the list of available authentication methods, click pki. Depending on your browser and the security configurations, one of the following scenarios will occur:
The PVWA will automatically locate the user’s certificate and log the user on to the Vault,
A list of certificates will be displayed where the user can select a certificate and be logged on to the Vault.

Authenticate with PKIPN

In addition to authenticating users with the distinguished name that is specified in the client certificate, the PVWA can also authenticate users with the Principal Name property from the client certificate.

Validate the certificate issuer for PKI and PKIPN authentication (optional)

This is only available in the version 10 UI.

  • In the PVWA web.config file, under AppSettings, add the following value:

    <add key="PKIAuthorizedIssuer" value="CA issuer" />

The value should contain the Certificate issuer, the name of the Certificate Authority (CA) that issued the certificate. It can be the Distinguished Name (DN) or the CN (CommonName/SimpleName).


  • Distinguished Name:

    <add key="PKIAuthorizedIssuer" value="CN=domain-DOMAIN-CA-CA, DC=domain, DC=com" />

  • CommonName/SimpleName:

    <add key="PKIAuthorizedIssuer" value="domain-DOMAIN-CA-CA" />