Certificate Requirements

It is highly recommended that you use your organization's SSL certificate. Otherwise, you can use the self-signed certificate created during PTA installation.

If you use your organization's SSL certificate:

  • The SSL Certificate requires a Base-64 or DER encoded X.509 SSL certificate
  • The SSL Certificate requires both Server authentication and Client authentication Enhanced Key Usage values
  • The SSL Certificate Chain requires a Base-64 or DER encoded X.509 SSL certificate
  • The SSL Certificate Issuer Chain requires a Base-64 or DER encoded X.509 SSL certificate
  • The Signature Algorithm of the SSL Certificate cannot be RSASSA-PSS
  • The hash algorithm must be SHA-256 or higher

    You can upload certificates to the PTA server signed with SHA-1 signature algorithms.

    While CyberArk recommends using signature algorithms that are SHA-256 and higher only, to ensure a more secured authentication channel, customers who do not have this option in their organization can use the SHA1 option.

    A new parameter, enable_insecure_certificate_signatures, was added to the systemparm.properties configuration file, with a default value of False. Set the parameter to True to enable uploading certificates signed with SHA-1 signature algorithms to the PTA server.

For more information about PTA certificates, see PTA Certificate Procedures.