SSL Certificates and BeyondTrust Privileged Remote Access

Before BeyondTrust can provide your custom software package, your B Series Appliance must have a valid SSL certificate installed. When properly installed, an SSL certificate validates the identity of your BeyondTrust site, and allows software such as web browsers and BeyondTrust clients to establish secure, encrypted connections.


To ensure full functionality of the BeyondTrust software and to avoid security risks, a valid SSL certificate signed by a third-party certificate authority (CA) must be installed.

Without an SSL certificate that matches your BeyondTrust site's hostname, your users will experience security errors. If your site uses the factory default or a self-signed certificate, users attempting to access your BeyondTrust site will receive an error message warning them that your site is untrusted, and some software clients will not function at all.

Installing the new certificate in BeyondTrust automatically links a private key to the new certificate, making the B Series Appliance ready to decrypt traffic from remote clients such as access consoles and web browsers. The private key and its certificate can be transferred between servers (e.g., from an IIS server to a B Series Appliance), but if it is ever lost, decryption will be impossible, the B Series Appliance will be unable to validate its integrity, and the certificate will have to be replaced.

BeyondTrust software clients which require the heightened security of a CA-signed certificate include:

  • iOS and Android access consoles
  • Linux software clients (access consoles, endpoint clients)

BeyondTrust does not require any special type of certificate, and allows both commercial or public certificate authority and internal CA servers. Accepted certificates include:

  • Wildcard certificates
  • Subject alternative name (SAN) certificates
  • Unified Communications (UC) certificates
  • Extended Validation (EV) certificates
  • Other standard certificates

BeyondTrust also provides support for requesting a Let's Encrypt certificate directly from the B Series Appliance. Let's Encrypt issues signed certificates that are valid for 90 days at a time, and can automatically renew themselves indefinitely.

Temporary, self-signed certificates can also be used for testing or installations. Using a self-signed certificate in a production environment does not provide the security of a CA-signed certificate, and users attempting to access your BeyondTrust site will receive an error message warning them that your site is untrusted.