It is highly recommended that you use your organization's SSL certificate. Otherwise, you can use the self-signed certificate created during PTA installation.
If you use your organization's SSL certificate:
- The SSL Certificate requires a Base-64 or DER encoded X.509 SSL certificate
- The SSL Certificate requires both Server authentication and Client authentication Enhanced Key Usage values
- The SSL Certificate Chain requires a Base-64 or DER encoded X.509 SSL certificate
- The SSL Certificate Issuer Chain requires a Base-64 or DER encoded X.509 SSL certificate
- The Signature Algorithm of the SSL Certificate cannot be RSASSA-PSS
The hash algorithm must be SHA-256 or higher
You can upload certificates to the PTA server signed with SHA-1 signature algorithms.
While CyberArk recommends using signature algorithms that are SHA-256 and higher only, to ensure a more secured authentication channel, customers who do not have this option in their organization can use the SHA1 option.
A new parameter, enable_insecure_certificate_signatures, was added to the systemparm.properties configuration file, with a default value of False. Set the parameter to True to enable uploading certificates signed with SHA-1 signature algorithms to the PTA server.
For more information about PTA certificates, see PTA Certificate Procedures.