CACert

The CACert utility prepares and manages the certificate that the Vault will use to create a secure channel to a client, so that users can authenticate to the third party securely. After the CACert utility has run, a log file is created which contains details about the process that was carried out.

 
  • Distributed Vault for session management only supports root certificates, and doesn't support using intermediate certificates.
  • The following procedures can be run without stopping the Vault. However, you must restart the Vault application to use the new Certificate.

See Certificate requirements for detailed requirements.

The following procedures must be executed on each Vault Server, according to its configuration.

 

The configuration described below shows the recommended settings for most use cases. See below for all the CACert options.

This procedure creates a private key on the Vault server and a Certificate Signing Request (CSR) to be signed by your organization's SSL.

  1. Navigate to the Vault Server installation folder (by default: c:\Program Files (x86)\PrivateArk\Server).
  2. Open CMD as administrator.

  3. Run the following command to create a new Certificate Signing Request (CSR):

      
    CACert.exe request
    • Name of the request output file - The file name of the request for the Vault Server.

    • Private key output file - The file name of the private key for the Vault Server.

       

      Enter a path that is different from the default path.
    • Common Name - The Vault Server common name.

    • Subject Alternative Names - List of Subject Alternative Names including the hostname and IP addresses. If the Vault is in a Cluster architecture, enter both the private and virtual IP address.

       

      You can enter multiple alternative DNS and/or IP values in the Subject Alternative Names field. The format is <field name>:<alternative_name>,<field name>:<alternative_name>. For example, dns:hostname,ip:10.10.10.10,ip:11.11.11.11

  4. Provide the CSR to your organization's Certificate Authority (CA).

This procedure installs your signed organizational SSL certificate on the Vault application.

 

The signed certificate and the chain certificate must be in base-64 format.
  1. Transfer the Vault certificate to the Vault Server.
  2. If you use Session Management in Distributed Vaults, transfer the Certificate Chain to the Vault Server.
  3. Back up the current server private key. The path to the key can be found in the ServerPrivateKey parameter in DBParm.ini.
  4. Replace the existing server private key file with the new private key created above.
  5. Navigate to the Vault Server installation folder (by default, c:\Program Files (x86)\PrivateArk\Server).
  6. Open CMD as administrator.
  7. Run the following command:
     
    CACert.exe install

    Specify the path to the Vault Server certificate.

  8. Restart the Vault Application.

You can specify any combination of optional parameters, although each parameter can only be used once.

CACert has the following usage:

  
CACert <command> [command parameters] /?

The usage is explained in the following table:

Parameter

Description

Mandatory

request

Prepares a Certificate Signing Request (CSR) file.

 

/reqoutfile

The name of the request output file.

Yes

/reqoutprvfile

The name of the private key output file.
Default value: The full pathname of the Server PrivateKey
parameter as specified in DBParm.ini in the Privileged Access Security Reference Guide.

No

/keybitlen

The bit length of the output private key.
Default value: 2048.

No

/country

The name of the country to specify in the certificate. Use a 2-letter code.

No

/state

The full name of the State or Province to specify in the certificate.

No

/locality

The name of the locality or city to specify in the certificate.

No

/org

The name of the organization/company to specify in the certificate.

No

/orgunit

The name of the organizational unit name to specify in the certificate. For example, the department or section.

No

/commonname

The Common Name to specify in the certificate. For example, the DNS name of the Vault.
Note: Either the ‘/commonname’ parameter or the ‘/subjalt’ parameter, or both, must be specified.

Yes

/subjalt

The subject alternative names. For example, “DNS:www.cyberark.com, IP:1.1.1.250”.
Note: Either the ‘/commonname’ parameter or the ‘/subjalt’ parameter, or both, must be specified.

No

/ShaRenew

Signature hash algorithm of the certificate signing request (CSR).

Default value: sha2-256

Other accepted values: sha1, sha2-512

No

install

Installs the certificate to be used by the Vault.

 

/certfilename

The full pathname of the certificate file to install.

Yes

uninstall

Uninstalls the current Vault certificate, and generates and installs a new self-signed certificate.

 

/quiet

Uninstalls the Vault certificate without prompting the user for confirmation.

No

import

Imports and installs a certificate from a “.pfx” file.

 

/infile

The full path of the file that contains the key and certificate  to import (.pfx).

Yes

show

Shows information about the current Vault certificate.

 

/outformat

Specifies the output format: TEXT, PEM OR DER (default = TEXT).

No

renew

Renews the current Vault certificate.

 

/renoutfile

The name of the certificate renewal output file.

Yes

setCA

Handles CA certificates store.

 

/certstore

The certificate store to work with. If this parameter is omitted, the Vault trusted client CA's store is selected.

No

/list

Lists the subjects of the certificates in a store.

No

/add

The name of the certificate file to add to the store.

No

/remove

The name of the certificate file to remove from the store.

No

/?

Lists the available options.