Set Up BeyondInsight Certificates

Certificates are used for secure communication between agents and BeyondInsight. Two types of certificates are used:

  • SSL certificate: Required to encrypt communication
  • Client certificate: Required to authenticate a client

You can use BeyondInsight certificates or create custom certificates using the BeyondInsight Configuration Tool.

Work with BeyondInsight Certificates

The following certificates are used for communication between BeyondTrust software and BeyondInsight:

  • eEyeEmsCA: Certification authority (CA) certificate
  • EmsClientCert: Client authentication certificate
  • eEyeEmsServer: Server authentication certificate

The CA certificate generates and validates client and server certificates. It is located on both the agent and the server in Trusted Root Certification Authorities in the Local Machine Store.

When connecting to BeyondInsight Web Service (for example, when Privilege Management for Desktops connects to the Event Service), the EmsClientCert certificate is used to authenticate the client, and the SSL certificate is used to encrypt the data. This prevents anonymous connections to the services. Typically, a certification authority such as VeriSign validates anonymous clients.

With BeyondInsight, a self-signed certificate is created and distributed with the client certificate. BeyondInsight can then work in a variety of environments, especially where network connectivity is an issue. This avoids the need to register each system instance with an online CA.

Internally, each client certificate contains a private-public key pair. During the SSL handshake, the server requests the client certificate. The client authenticates the certificate before initiating the connection, and the server validates it again when it is received.

Only the "Generate Certificate MSI" option should be used for the endpoint clients. These endpoint clients must have the .NET Framework 4.7.2 installed as a prerequisite to running the MSI.

The "Generate Certificate Zip" option should only be used to transfer certificates between BeyondInsight servers.

eEyeEmsServer Certificate Information

Install the eEyeEmsServer certificate on the server in the Local Machine Store, under the Personal Store. To verify that the certificate is valid, double-click the certificate.

 

The EmsClientCert certificate is used for communication between the agent and server when sending and receiving events. The certificate must be exported from the server and then imported on the agent.

Screenshot of the BeyondInsight Configuration dialog.

  1. Open the BeyondInsight Configuration Tool.
  2. Click the Certificate Management link.

 

Certificate Management

  1. Select Export certificate.
  2. Select Client Certificate as the Certificate type.
  3. Enter a chosen Password. We recommend that you use the existing BeyondInsight Central Policy password.
  4. Click the ellipses () to browse to your desired location.
    • Enter a File name and select Certificate files (*.pfx) as the Save as type. We recommend that you name the certificate eEyeEmsClient.pfx.
    • Click Save.
    • Verify the Path has been filled in correctly.
  5. Click OK.

Troubleshoot BeyondInsight Certificates

When troubleshooting certificate issues, check the following:

  • Is the eEyeEmsCA certificate expired?
  • Does the certificate store have more than one version of the eEyeEmsCA certificate?

Certificate Details: Key Usage Identifiers

  • Does the eEyeEmsCA certificate have the correct usage identifiers in place?
  • Does the EmsClientCert certificate have the correct usage identifiers in place? Does it have the private key present?

 

Certificate Details: Serial Number

  • Does the eEyeEmsCA exist on both the agent and the server? Make sure the certificate on the agent has the same serial number as the certificate on the BeyondInsight server. To view the serial number, double-click the certificate in the certificate manager.
  • Was the eEyeEmsCA certificate regenerated or removed? Regenerating or removing the eEyeEmsCA certificate invalidates any certificate that was generated using the old CA certificate. This breaks the communication between the agents and the server until the client and server certificates are regenerated on the server and the new client certificate is deployed on all agents connecting to BeyondInsight.
  • Did the Central Policy password change? If you change the Central Policy password using the BeyondInsight Configuration Tool, the password change is not automatically applied to EmsClientCert.pfx.

Use a Domain PKI for BeyondInsight Communication

If you choose to create a custom certificate, keep in mind the following considerations:

  • You can modify templates using the Certificate Templates Console (certtmpl.msc).
  • The default Computer template meets the requirements for BeyondInsight communication. However, to update any particular BeyondInsight configuration settings, you must copy the Computer template and make your changes in the copy.
  • To issue the new template, use the certsrv.msc snap-in.

For detailed procedures on creating a custom domain certificate, please see Microsoft's documentation.

Prerequisites

  • Domain member server with Active Directory Certificate Services installed and configured.
  • Certificate Authority Web Enrollment role installed

Requirements

Certificates Intended Purposes

  • The certificates must be configured as Server Authentication and Client Authentication in the Intended Purposes section of the certificate.

 

Certificate Details: Subject Key

  • The Subject key must contain common text for all client certificates.

 

Assign the SSL Web Service Certificate in BeyondInsight

Configuration Tool: Assign the Web Service SSL Certificate

  1. Start the BeyondInsight Configuration Tool.
  2. Scroll to Web Service in the list.
  3. Select the domain PKI certificate from the list.
  4. Click Apply.

 

Configure a Client Certificate for Privilege Management for Desktops

Group Policy Management Editor: Configure Certificate Name

  1. In Group Policy Management Editor, edit the group policy you use for your Privilege Management for Desktops targets.
  2. Go to Administrative Templates > BeyondTrust > Privilege Management for Desktops > System > Management.
  3. Double-click the setting Configure the BeyondInsight Certificate Name.
  4. Enter the common text you used in the client certificate Subject key.

Configure Auto Enrollment

  1. In Group Policy Management Editor, edit the group policy you use for your Privilege Management for Desktops targets.
  2. Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings.
  3. Right-click within the right pane and select New > Automatic Certificate Request.
  4. Go through the wizard. On the Certificate Template page, select the custom template.