CACert
The CACert utility prepares and manages the certificate that the Vault will use to create a secure channel to a client, so that users can authenticate to the third party securely. After the CACert utility has run, a log file is created which contains details about the process that was carried out.
See Certificate requirements for detailed requirements. |
The following procedures must be executed on each Vault Server, according to its configuration.
The configuration described below shows the recommended settings for most use cases. See below for all the CACert options. |
This procedure creates a private key on the Vault server and a Certificate Signing Request (CSR) to be signed by your organization's SSL.
- Navigate to the Vault Server installation folder (by default: c:\Program Files (x86)\PrivateArk\Server).
- Open CMD as administrator.
-
Run the following command to create a new Certificate Signing Request (CSR):
CACert.exe request
- Name of the request output file - The file name of the request for the Vault Server.
-
Private key output file - The file name of the private key for the Vault Server.
-
Enter a path that is different from the default path.
-
The path cannot contain any quote symbols (").
-
- Common Name - The Vault Server common name.
-
Subject Alternative Names - List of Subject Alternative Names including the hostname and IP addresses. If the Vault is in a Cluster architecture, enter both the private and virtual IP address.
You can enter multiple alternative DNS and/or IP values in the Subject Alternative Names field. The format is <field name>:<alternative_name>,<field name>:<alternative_name>. For example, DNS:hostname,IP:10.10.10.10,IP:11.11.11.11
- Provide the CSR to your organization's Certificate Authority (CA).
This procedure installs your signed organizational SSL certificate on the Vault application.
The signed certificate and the chain certificate must be in base-64 format. |
- Transfer the Vault certificate to the Vault Server.
- If you use Session Management in Distributed Vaults, transfer the Certificate Chain to the Vault Server.
- Back up the current server private key. The path to the key can be found in the ServerPrivateKey parameter in DBParm.ini.
- Replace the existing server private key file with the new private key created above.
- Navigate to the Vault Server installation folder (by default, c:\Program Files (x86)\PrivateArk\Server).
- Open CMD as administrator.
- Run the following command:
CACert.exe install
Specify the path to the Vault Server certificate.
- Restart the Vault Application.
You can specify any combination of optional parameters, although each parameter can only be used once.
CACert has the following usage:
|
The usage is explained in the following table:
Parameter |
Description |
Mandatory |
---|---|---|
request |
Prepares a Certificate Signing Request (CSR) file. |
|
/reqoutfile |
The name of the request output file. |
Yes |
/reqoutprvfile |
The name of the private key output file. |
No |
/keybitlen |
The bit length of the output private key. |
No |
/country |
The name of the country to specify in the certificate. Use a 2-letter code. |
No |
/state |
The full name of the State or Province to specify in the certificate. |
No |
/locality |
The name of the locality or city to specify in the certificate. |
No |
/org |
The name of the organization/company to specify in the certificate. |
No |
/orgunit |
The name of the organizational unit name to specify in the certificate. For example, the department or section. |
No |
/commonname |
The Common Name to specify in the certificate. For example, the DNS name of the Vault. |
Yes |
/subjalt |
The subject alternative names. For example, “DNS:www.cyberark.com, IP:1.1.1.250”. |
No |
/ShaRenew |
Signature hash algorithm of the certificate signing request (CSR). Default value: sha2-256 Other accepted values: sha1, sha2-512 |
No |
install |
Installs the certificate to be used by the Vault. |
|
/certfilename |
The full pathname of the certificate file to install. |
Yes |
uninstall |
Uninstalls the current Vault certificate, and generates and installs a new self-signed certificate. |
|
/quiet |
Uninstalls the Vault certificate without prompting the user for confirmation. |
No |
import |
Imports and installs a certificate from a “.pfx” file. |
|
/infile |
The full path of the file that contains the key and certificate to import (.pfx). |
Yes |
show |
Shows information about the current Vault certificate. |
|
/outformat |
Specifies the output format: TEXT, PEM OR DER (default = TEXT). |
No |
renew |
Renews the current Vault certificate. |
|
/renoutfile |
The name of the certificate renewal output file. |
Yes |
setCA |
Handles CA certificates store. |
|
/certstore |
The certificate store to work with. If this parameter is omitted, the Vault trusted client CA's store is selected. |
No |
/list |
Lists the subjects of the certificates in a store. |
No |
/add |
The name of the certificate file to add to the store. |
No |
/remove |
The name of the certificate file to remove from the store. |
No |
/? |
Lists the available options. |
|