CACert

The CACert utility prepares and manages the certificate that the Vault will use to create a secure channel to a client, so that users can authenticate to the third party securely. After the CACert utility has run, a log file is created which contains details about the process that was carried out.

You can specify any combination of optional parameters, although each parameter can only be used once.

CACert has the following usage:

 
CACert <command> [command parameters] /?

The usage is explained in the following table:

Parameter

Description

Mandatory

request

Prepares a Certificate Signing Request (CSR) file.

 

/reqoutfile

The name of the request output file.

Yes

/reqoutprvfile

The name of the private key output file.
Default value: The full pathname of the Server PrivateKey
parameter as specified in DBParm.ini in the Privileged Access Security Reference Guide.

No

/keybitlen

The bit length of the output private key.
Default value: 2048.

No

/country

The name of the country to specify in the certificate. Use a 2-letter code.

No

/state

The full name of the State or Province to specify in the certificate.

No

/locality

The name of the locality or city to specify in the certificate.

No

/org

The name of the organization/company to specify in the certificate.

No

/orgunit

The name of the organizational unit name to specify in the certificate. For example, the department or section.

No

/commonname

The Common Name to specify in the certificate. For example, the DNS name of the Vault.
Note: Either the ‘/commonname’ parameter or the ‘/subjalt’ parameter, or both, must be specified.

Yes

/subjalt

The subject alternative names. For example, “DNS:www.cyberark.com, IP:1.1.1.250”.
Note: Either the ‘/commonname’ parameter or the ‘/subjalt’ parameter, or both, must be specified.

No

install

Installs the certificate to be used by the Vault.

 

/certfilename

The full pathname of the certificate file to install.

Yes

uninstall

Uninstalls the current Vault certificate, and generates and installs a new self-signed certificate.

 

/quiet

Uninstalls the Vault certificate without prompting the user for confirmation.

No

import

Imports and installs a certificate from a “.pfx” file.

 

/infile

The full path of the file that contains the key and certificate  to import (.pfx).

Yes

show

Shows information about the current Vault certificate.

 

/outformat

Specifies the output format: TEXT, PEM OR DER (default = TEXT).

No

renew

Renews the current Vault certificate.

 

/renoutfile

The name of the certificate renewal output file.

Yes

setCA

Handles CA certificates store.

 

/certstore

The certificate store to work with. If this parameter is omitted, the Vault trusted client CA's store is selected.

No

/list

Lists the subjects of the certificates in a store.

No

/add

The name of the certificate file to add to the store.

No

/remove

The name of the certificate file to remove from the store.

No

/?

Lists the available options.

 

 
TruePrivileged Access Security11.1