SSL Certificates and BeyondTrust Privileged Remote Access
In this guide, you will learn about the role of SSL certificates in BeyondTrust — why they are needed and how to use them.
SSL (Secure Socket Layer) is a security protocol that uses encryption to ensure the secure transfer of data over the internet. An SSL certificate is a small digital file that contains a public key and private key pair, along with a "subject," which is the identity of the certificate owner. These keys work in a way that allows for the creation of a secure, encrypted connection between both parties. For example, in order for a browser and a server to establish a secure connection, an SSL certificate is needed. Essentially, an SSL certificate works as certified, digital proof of your online identity.
Before BeyondTrust can provide your custom software package, your B Series Appliance must have a valid SSL certificate installed that matches the hostname you have selected for your BeyondTrust site.
When properly installed, an SSL certificate validates the identity of your BeyondTrust site and allows software such as web browsers and BeyondTrust clients to establish secure, encrypted connections.
The CA or Issuing Authority issues multiple certificates in a certificate chain, proving that your site's certificate was issued by the CA. This proof is validated using a public and private key pair. The public key, available to all of your site visitors, must validate the private key in order to verify the authenticity of the certificate chain. The certificate chain typically consists of three types of certificate:
Root Certificate – The certificate that identifies the certificate authority.
Intermediate Root Certificates – Certificates digitally signed and issued by an Intermediate CA, also called a Signing CA or Subordinate CA.
Identity Certificate – A certificate that links a public key value to a real-world entity such as a person, a computer, or a web server.
If your SSL certificate does not match your BeyondTrust site's hostname, your users will experience security errors. The proper way to resolve this is to get an SSL certificate signed by a third-party certificate authority (CA).
As a temporary measure, you can create a self-signed certificate, but this will not resolve all of the errors that come with not having a CA-signed certificate. If your site uses the factory default certificate or even if it uses a self-signed certificate, users attempting to access your BeyondTrust site will receive an error message warning them that your site is untrusted. Furthermore, without a CA-signed certificate, some software clients will not function at all. BeyondTrust software clients which absolutely require the heightened security of a CA-signed certificate include:
- iOS and Android access consoles
- Linux software clients (access consoles, endpoint clients)
To obtain a valid CA-signed SSL certificate, create and submit a certificate signing request (CSR) as discussed in Create a Certificate Signed by a Certificate Authority for Your BeyondTrust Appliance B Series.The CSR contains the public key portion of your B Series Appliance's key pair and the distinguished name of your B Series Appliance.
Once the CSR has been created, the B Series Appliance generates and saves a unique private key. You must then submit the CSR to a CA without the private key. The CA validates the identity of your site and returns a signed certificate to you, which you must install on your B Series Appliance.
Installing the new certificate in BeyondTrust automatically links the private key to the new certificate, making the B Series Appliance ready to decrypt traffic from remote clients such as access consoles and web browsers. The private key and its certificate can be transferred between servers (e.g., from an IIS server to a B Series Appliance), but if it is ever lost, decryption will be impossible, the B Series Appliance will be unable to validate its integrity, and the certificate will have to be replaced.
Never send the private key over the internet, and always secure it with a strong password.
To have full functionality of the BeyondTrust software and to avoid security risks, it is very important that you obtain a valid CA-signed SSL certificate as soon as possible.
You can obtain an SSL certificate from a commercial or public certificate authority or from an internal CA server if your organization uses one. BeyondTrust does not require customers to obtain a certificate from a select list of certificate authorities.
BeyondTrust does not require any special type of certificate. BeyondTrust does accept wildcard certificates, subject alternative name (SAN) certificates, Unified Communications (UC) certificates, Extended Validation (EV) certificates, and so forth, as well as standard certificates.
BeyondTrust also provides support for requesting a Let's Encrypt certificate directly from the B Series Appliance. Let's Encrypt issues signed certificates which are valid for 90 days, yet have the capability of automatically renewing themselves indefinitely.
The sections in this guide explain how to request and upload a certificate for the first time, how to replicate a certificate on additional B Series Appliances, how to renew an expired certificate, and how to replace a certificate with one from another certificate authority.