While working in CyberArk PAS solution, there are many times the servers are required to get CA signed certificates to reduce certificate warning. Here are two typical cases for CyberArk deployment:
1. PSM RDS Services
2. PVWA IIS Server Those steps are more Windows System Administrator tasks, not specifically for CyberArk.
By default, PSM RDS is using a self signed certificate. When end user RDP connecting to PSM, following certificate warning will pop up. The end users will need install this self-signed certificate into their local certificate storage, the connect sessions can continue.
Note: Self-signed certificate is generated by RDS service. It will be placed in the remote desktop certificate store location. Even you deleted this self-signed certificate, it will be re-generated after a reboot.
YouTube Video:
Note: Chrome requires SSL Certificates to list the site name[s] in the subject alternative name [SAN] to be trusted. Usage of common name only is not seen as secure enough, and will result in a certificate validation error in Chrome.
Here is the steps to generate a CSR , send to CA to sign, import CA signed certificate to server , then assign it to RDS service.1 Generate CSR from MMC Certificate Snap-in
You can run MMC then add Certificate Snap-in. Go to personal -> certificate , right click your mouse at right panel space, choose All Tasks -> Advanced Operations -> Create Custom Request ...
You can either do following bulletins or just click three times next :
- Click next in Certificate Enrollment Wizard’s welcome window
- Select “Proceed without enrollment policy” under Custom Request & click next
- In Custom Request window Select [No template] Legacy key & PKCS #10 as request format
- And Click Next
Adding following properties, especially alternative name:
Make private key exportable
2 Submit your CSR file to CA to sign:
Go to your local MS CA page , request a new certificate - > submit an advanced certificate request
3 Install your signed CA certificate into PSM server Double click downloaded CA signed certificate from PSM server.
4 Export your imported certificate to PCKS format Right click your certificate and choose export...
5 Import it into RDS
Open Server manager - > Remote Desktop Services -> Overview - > Deployment Overview -> Tasks -> Edit Deployment Properties
By default installation, when end user connect to your ///PasswordVault will result in the certificate error, NET::ERR_CERT_COMMON_NAME_INVALID. This is to be expected due to the self-signed certificate created during the PVWA prerequisite script. One solution is by select browser page's notification , Advanced > Proceed to ///PasswordVault [unsafe]
Another better solution is to install CA signed certificate for your PVWA IIS service. Similar steps as RDS certificate process.
After you got signed CA signed certificate and imported into PVWA server local certificate personal location, launch IIS manager from Server manager -> IIS:
The following instructions will guide you through the SSL installation process on a Remote Desktop Gateway server. If you have more than one server or device, you will need to install the certificate on each server or device you need to secure. If you still have not generated your certificate and completed the validation process, reference our CSR Generation Instructions and disregard the steps below.
What You’ll Need
1. Your server certificate
This is the certificate you received from the CA for your domain. You may have been sent this via email. If not, you can download it by visiting your Account Dashboard and clicking on your order.
These files allow the devices connecting to your server to identify the issuing CA. There may be more than one of these certificates. If you got your certificate in a ZIP folder, it should also contain the Intermediate certificate[s], which is sometimes referred to as a CA Bundle. If not, download the appropriate CA Bundle for your certificate.
3. Your private key
This file should be on your server, or in your possession if you generated your CSR from a free generator tool. On certain platforms, such as Microsoft IIS, the private key is not immediately visible to you but the server is keeping track of it.
SSL/TLS Certificate Installation Instructions
3. In the Remote Desktop Gateway Manager console tree, right click RD Gate server and select Properties.
4. In the Properties box, click SSL Certificate, then select Import a certificate on the RD Gateway Certificates [local computer]/personal store
5. Click Browse and Import Certificate, choose the certificate and click Open
6. Enter the Private Key Password
7. Select Important Certificate, click OK
Congratulations! You’ve successfully installed your SSL certificate! To check your work, visit the website in your browser at //yourdomain.tld and view the certificate/site information to see if HTTPS/SSL is working properly. Remember, you may need to restart your server for changes to take effect.
To check your server’s configurations more thoroughly, use our SSL Checker Tool or contact our Customer Experience Department for additional assistance.