SSL Certificate Requirement for the PRA Appliance
All BeyondTrust software communication occurs via secure, encrypted connections. These rely on the industry standard Secure Sockets Layer (SSL) technology and DNS address of the appliance. BeyondTrust Appliances ship with a default certificate which secures all connections on all IP addresses. However, this will not satisfy the requirements of BeyondTrust's client software, which runs more rigorous validation checks than standard web browsers. Therefore, before BeyondTrust can provide you with a fully operational software licensing package, your BeyondTrust Appliance will need to have a valid SSL certificate installed that matches the DNS A-record you have registered for your appliance.
A valid SSL certificate can be either a certificate authority-signed (CA-signed) SSL certificate or a self-signed SSL certificate. CA-signed certificates are required to fully leverage all of BeyondTrust's functionality (e.g., click-to-chat and mobile clients), but they require that a certificate signing request (CSR) be submitted to the CA. The CSR is an industry standard used by all network devices and software which use SSL. If a CSR/CA-signed certificate is used instead of a self-signed certificate, the CA-signed certificate must be downloaded from the CA's web site (or certificate purchase email) and imported to the BeyondTrust Appliance from the /appliance interface. In addition to the CA certificate request feature, BeyondTrust includes functionality for obtaining and automatically renewing its own TLS certificates from the open Certificate Authority Let's Encrypt.
For more information on creating and managing SSL certificates in BeyondTrust PRA, please see the following articles:
For more information on how BeyondTrust uses SSL certificates as well as detailed configuration steps to request and install certificates in BeyondTrust, see the SSL Certificates Guide.
The section Create an SSL Certificate describes the steps for initial configuration in detail. An overview of the process is given below.
- Log into the BeyondTrust /appliance interface and create a certificate signing request (CSR) or self-signed certificate.
If the BeyondTrust Appliance will be using a copy of the certificate from another BeyondTrust Appliance or server, no CSR or self-signed certificate is necessary. Instead, export the certificate with its private key from the system on which it currently resides and import it to the BeyondTrust Appliance. For detailed steps, see the section Replicate the SSL Certificate on Failover and Atlas Appliances in the SSL Certificates Guide.
- Assign the new certificate to the IP address(es) of the BeyondTrust Appliance.
- Send BeyondTrust Technical Support a copy of the SSL root certificate and/or appliance DNS address.
If a self-signed certificate is used, the certificate serves as its own root certificate, and therefore, the self-signed certificate should be sent to BeyondTrust Technical Support. If a CA-signed certificate is used, contact the CA for a copy of their root certificate. If you have trouble contacting the CA, articles to assist with obtaining your root certificate can be found at beyondtrustcorp.service-now.com/csm. In either case, BeyondTrust Technical Support will need to know the DNS address of the appliance. If your DNS address is public and the SSL certificate is already installed, Support can retrieve a copy of the root from the public DNS address; in this case, it is not necessary to manually send the root certificate.
Once the above steps are complete, BeyondTrust Technical Support encodes the DNS hostname and SSL root certificate into a new software licensing package, sends it to the BeyondTrust licensing servers for building, and then sends you instructions to install the newly-built package once it is complete.