CACert

This topic describes the CACert utility.

Overview

The CACert utility prepares and manages the certificate that the Vault will use to create a secure channel to a client, so that users can authenticate to the third party securely. After the CACert utility has run, a log file is created which contains details about the process that was carried out.

Distributed Vault for session management only supports root certificates, and doesn't support using intermediate certificates.
The following procedures can be run without stopping the Vault. However, you must restart the Vault application to use the new Certificate.

See Certificate requirements for detailed requirements.

The following procedures must be performed on each Vault server, according to its configuration.

The configuration described below shows the recommended settings for most use cases. See below for all the CACert options.

Create the SSL certificate for the Vault server

There are two ways you can create an SSL certificate for the Vault server:

Generate a Certificate Signing Request (CSR) to be signed by your organizational Certificate Authority (CA), and install the certificate on the Vault
Import a certificate for the Vault that was created externally

Generate and install the Vault certificate

First you must create a Certificate Signing Request (CSR) to be signed by your organization's SSL. Next you sign the CSR using your organization's Certificate Authority (CA). Last, you install the issued certificate on the Vault server.

Step 1: Generate a Certificate Signing Request for the Vault

This procedure creates a private key on the Vault server and a CSR to be signed by your organization's SSL.

Navigate to the Vault Server installation folder (by default: c:\Program Files (x86)\PrivateArk\Server).
Open a Command window as an Administrator.

Run the following command to create a new Certificate Signing Request (CSR):

CACert.exe request

Name of the request output file - The file name of the request for the Vault Server.

Private key output file - The file name of the private key for the Vault Server.

Enter a path that is different from the default path.
The path cannot contain any quote symbols (").

Common Name - The Vault Server common name.

Subject Alternative Names - List of Subject Alternative Names including the hostname and IP addresses. If the Vault is in a Cluster architecture, enter both the private and virtual IP address.

You can enter multiple alternative DNS and/or IP values in the Subject Alternative Names field. The format is <field name>:<alternative_name>,<field name>:<alternative_name>. For example, DNS:hostname,IP:10.10.10.10,IP:11.11.11.11

Provide the CSR to your organization's Certificate Authority (CA).

Step 2: Sign the CSR using your organization's Certificate Authority (CA)

The signed certificate and the chain certificate must be in base-64 format.

Step 3: Install your Vault Server Organization SSL Certificate

This procedure installs your signed organizational SSL certificate in the Vault application.

Transfer the Vault certificate to the Vault Server.
If you use Session Management in Distributed Vaults, transfer the Certificate Chain to the Vault Server.
Back up the current server private key. The path to the key can be found in the ServerPrivateKey parameter in DBParm.ini.
Replace the existing server private key file with the new private key created above.
Navigate to the Vault Server installation folder (by default, c:\Program Files (x86)\PrivateArk\Server).
Open CMD as administrator.
Run the following command:
CACert.exe install
Specify the path to the Vault Server certificate.
Restart the Vaultapplication.

Import your organization's SSL certificate for the Vault server

This procedure imports your organization's SSL certificate for the Vault server. This certificate includes both the public and private keys. The certificate must be in pfx format.

Because the certificate was not created onthe Vault server, and it includes both the public and private keys, the certificate must be protected so that it doesn't endanger the private key.

Transfer the Vault server certificate in *.pfx format and the chain.
Back up the current server private key. You can find the key's location in the ServerPrivateKey parameter in the DBParm.ini file.
Go to the Vault server installation folder. The default location is C:\Program Files (x86)\PrivateArk\Server).
Open the Command window as an Administrator, and run the following command:

CACert.exe import
Enter the full path and certificate file name.
Restart the Vault application.

Verify the Vault server certificate

This procedure describes how to view the Vault server certificate.

Go to the Vault server configuration folder. The default location is C:\Program Files (x86)\PrivateArk\Server\Conf).
Open the DBParm.ini file, and locate the ServerCertificateFile configuration.
Go to the folder path location of the ServerCertificateFile.
Copy the certificate file into the same folder, and rename the file to the .cer format, for example, Server.cer.
Double-click the copy of the file (in the .cer format) to open the file, or use Crypto Shell Extensions.

CACert usage

You can specify any combination of optional parameters, although each parameter can only be used once.

CACert has the following usage:

CACert <command> [command parameters] /?

The usage is explained in the following table.

Command	Flag	Description	Mandatory
request		Prepares a Certificate Signing Request (CSR) file.
	/reqoutfile	The name of the request output file.	Yes
	/reqoutprvfile	The name of the private key output file. Default value: The full pathname of the ServerPrivateKey parameter as specified in DBParm.ini.	No
	/keybitlen	The bit length of the output private key. Default value: 4096.	No
	/country	The name of the country to specify in the certificate. Use a 2-letter code.	No
	/state	The full name of the State or Province to specify in the certificate.	No
	/locality	The name of the locality or city to specify in the certificate.	No
	/org	The name of the organization/company to specify in the certificate.	No
	/orgunit	The name of the organizational unit name to specify in the certificate. For example, the department or section.	No
	/commonname	The Common Name to specify in the certificate. For example, the DNS name of the Vault. Note: Either the ‘/commonname’ parameter or the ‘/subjalt’ parameter, or both, must be specified.	Yes
	/subjalt	The subject alternative names. For example, “DNS:www.cyberark.com, IP:1.1.1.250”. Note: Either the ‘/commonname’ parameter or the ‘/subjalt’ parameter, or both, must be specified.	No
	/ShaRenew	Signature hash algorithm of the certificate signing request (CSR). Default value: sha2-256 Other accepted values: sha1, sha2-512	No
install		Installs the certificate to be used by the Vault.
	/certfilename	The full pathname of the certificate file to install.	Yes
uninstall		Uninstalls the current Vault certificate, and generates and installs a new self-signed certificate.
	/quiet	Uninstalls the Vault certificate without prompting the user for confirmation.	No
import		Imports and installs a certificate from a “.pfx” file.
	/infile	The full path of the file that contains the key and certificate to import (.pfx).	Yes
show		Shows information about the current Vault certificate.
	/outformat	Specifies the output format: TEXT, PEM OR DER (default = TEXT).	No
renew		Renews the current Vault certificate.
	/renoutfile	The name of the certificate renewal output file.	Yes
setCA		Handles CA certificates store.
	/certstore	The certificate store to work with. If this parameter is omitted, the Vault trusted client CA's store is selected.	No
	/list	Lists the subjects of the certificates in a store.	No
	/add	The name of the certificate file to add to the store.	No
	/remove	The name of the certificate file to remove from the store.	No
/?		Lists the available options.