Generate certificates for the PSM servers

This topic describes how to generate a certificate on the PSM server to secure the Remote Desktop Services network access.

Considerations

  • All steps described in this topic are performed on the PSM server.

  • You are responsible for tracking the expiration date of your certificate. If your certificate is about to expire, or has expired, contact CyberArk Support and open a support ticket.

  • The steps for generating a certificate differ depending on whether you have a single PSM server or multiple PSM servers in your system. Take note when selecting the work procedure in Step 1 below.

    Before you begin

    • If you have multiple PSM Servers in your system, create a dedicated certificate template. You can create a new certificate template, or duplicate the existing Computer template, and set Subject name to be supplied per request.

Step 1: Generate a certificate request from the PSM

Select one of the following work procedures, depending on the number of PSM servers in your system.

To generate a certificate request for a single PSM server:
  1. On the PSM server, open the Microsoft Management Console (MMC).
  2. Click File > Add/Remove Snap-in.
  3. On the Add or Remove Snap-in page, in the left pane, under Available snap-ins, select Certificates and then click Add.
  4. On the Certificate Snap-in page, select Computer account, and then click Finish.
  5. On the Add or Remove Snap-in page, click OK.
  6. Under Console Root > Certificates Personal, right-click Certificates , then select All TasksRequest New Certificate.

  7. On the Certificate enrollment page, select the Active Directory Enrollment Policy.
  8. On the Certificate Enrollment page, select the Computer check box, expand Details, and click Properties.
  9. On the Certificate Properties page, select the Private Key tab, and do the following:

    • Select Make private key exportable.
    • Select Strong private key protection.
    • Set Key size to 4096.

    We highly recommend using a key size larger than 4096 bits. Only use a lower key size for compatibility issues.

  10. On the Extensions tab, under Extended Key Usage (application policies), make sure that only Server Authentication is listed in the Selected options list.
  11. On the Certificate Authority tab, select the CA to sign the certificate.
  12. Click OK to confirm the changes to the certificate properties, and then click Enroll.

To generate a certificate request for multiple PSM servers:
  1. Ensure you have a dedicated certificate template set to enable Subject name to be supplied per request, as described in Before you begin.
  2. On the PSM server, open the Microsoft Management Console (MMC).
  3. Click File > Add/Remove Snap-in.
  4. On the Add or Remove Snap-in page, in the left pane, under Available snap-ins, select Certificates and then click Add.
  5. On the Certificate Snap-in page, select Computer account, and then click Finish.
  6. On the Add or Remove Snap-in page, click OK.
  7. Under Console Root > Certificates Personal, right-click Certificates , then select All TasksRequest New Certificate.

  8. On the Certificate enrollment page, select the Active Directory Enrollment Policy.
  9. On the Certificate Enrollment page, select the check box of the certificate you created, expand Details, and click Properties.
  10. On the Certificate Properties page, select the Private Key tab, and do the following:

    • Select Make private key exportable.
    • Select Strong private key protection.
    • Set Key size to 4096.

    We highly recommend using a key size larger than 4096 bits. Only use a lower key size for compatibility issues.

  11. On the Extensions tab, under Extended Key Usage (application policies), make sure that only Server Authentication is listed in the Selected options list.
  12. On the Certificate Authority tab, select the CA to sign the certificate.
  13. In the Subject tab, enter the PSM server and load balancer details:

    In the Subject name enter the PSM FQDN, and in the Subject Alternative Name (SAN) field, enter the load balancer FQDN.

  14. Click OK to confirm the changes to the certificate properties, and then click Enroll.

Step 2: Enroll the certificate

  1. On the Enroll for: computer wizard, click Set Security Level.

  2. On the Set Security Level page, select High, and click Next.
  3. On the Create a Password page, create and confirm the private key password, and then click Finish.

  4. Click OK to complete the process, and then, on the Certificate Enrollment page, click Finish.
  5. To verify that you set up the certificate properly, check the certificate settings:

    • Verify that Issued to has the PSM name.

    • Verify that Issued by has the Certificate Authority name.

Step 3: Export the certificate including the private key

The exported certificate and private key are for use on the PSM Server.

This work procedure includes export, delete and reimport of the certificate. This is done for security purposes, so that the private key of the certificate cannot be exported from the server.

To export and reimport the certificate:
  1. On the PSM server, open the Microsoft Management Console (MMC).

  2. Click File > Add/Remove Snap-in.

  3. Under Console Root > Certificates Personal, right-click the PSM certificate, and select All TasksExport.

  4. On the Certificate Export Wizard, on the Export Private Key page, select Yes, export the private key, and then click on Next.

  5. On the Export File Format page, do the following, and then click Next:

    • Select Personal Information Exchange - PKCS #12 (.PFX)

    • Select Include all Certificates in the certification path if possible

    • Clear Enable certificate privacy

  6. On the Security page, do the following, and then click Next:

    1. Select Groups or user names.
    2. Add the privilege domain account on the PSM server.
    3. If the private key is password-protected, select Password, enter the password, and confirm it. This is the same password you created in Enroll the certificate.

  7. Save the file as a PFX, and then click Finish. When prompted, enter the private key password again.

  8. Delete the certificate that you have just exported from the certificate store. Right-click on the certificate in the store, and then click Delete.

  9. On the PSM server, open the Microsoft Management Console (MMC) and import the PFX file you generated in this section:

    1. Click File > Add/Remove Snap-in.

    2. Under Console Root > Certificates Personal, right-click the PSM certificate, select All TasksImport.

    3. Browse to the exported certificate, set the search file extension to All or .PFX and select the exported certificate.

    4. Enter the password you defined in the steps above.

    5. Click Next until the process is completed.

Step 4: Renew an expired certificate

You are responsible for tracking the expiration date of your certificate.

Submit a new PSM certificate to CyberArk support for any of the following cases:

  • If the PSM is using a self-signed certificate and the self-signed certificate has been renewed or changed, then submit the updated PSM personal certificate to CyberArk support.

  • If the intermediate CA is changed or renewed, submit the new intermediate CA certificate to CyberArk support.

  • If the root CA is changed or renewed, submit the new root CA certificate to CyberArk support.

If there are no changes to the intermediate or root CA and the PSM is using a signed certificate, you can update the PSM personal certificate without submitting a certificate to CyberArk support.

To renew a certificate:
  1. Generate a new certificate. For more information, see Generate certificates for the PSM servers.

  2. Open a support ticket with CyberArk.

  3. Indicate if it is a service request to upload a new certificate set, or to renew your certificate.

  4. Attach the certificate in the ticket.

Step 5: Export the root CA and send to CyberArk Support

Export the root CA and provide it to CyberArk Support for further handling.

To export the root CA:

  1. On the PSM server, open the Microsoft Management Console (MMC).

  2. Click File > Add/Remove Snap-in.
  3. Under Console Root, select the Trusted Root Certification AuthoritiesCertificates folder.

    If you have intermediate CA certificates, perform this procedure for them as well. You can find them under the Intermediate Certification Authorities certificate folder.

  4. Right-click the relevant Root CA certificate, and select All TasksExport.
  5. In the Certificate Export Wizard, on the Export File Format page, select Base-64 encoded x.509 (.CER), and then click Next.

    The root CA must be exported in .CER format.

  6. Click Finish to complete the export.

  7. Send the exported root CA to CyberArk Support.