Renew an Expired Certificate for the Privileged Remote Access Appliance
If the SSL certificate of your BeyondTrust Appliance is about to expire, you must renew it following the instructions below. If you need to replace an existing certificate with one from another certificate authority, see Replace an SSL Certificate on the Privileged Remote Access Appliance.
Because the software on the BeyondTrust Appliance is built for your specific SSL certificate, please be proactive in contacting BeyondTrust Technical Support before your SSL certificate expires. This way, BeyondTrust Technical Support can build software to help migrate your connections.
The steps below will guide you through renewing a CA-signed certificate.
Purchase the Certificate Renewal
- Contact the certificate authority that signed the certificate to request a renewal.
When a certificate is renewed, the original certificate data is used. Therefore, a new certificate request is not needed, and no new intermediate or root certificates need to be installed.
- Many CAs keep the certificate request information on file. Others may require you to provide the original certificate request.
If the CA requires a copy of the original certificate request, go to the /appliance > Security > Certificates page.
- In the Security :: Certificate Requests section, click the subject of the certificate request which matches the original certificate's data.
- Select and copy the Request Data, and then submit this information to your certificate authority.
Import the Certificate Files
- Once the certificate authority has responded to the request with the new certificate files, download all of the files to a secure location. This location should be accessible from the same computer used to access the /appliance interface.
- Log into the /appliance interface of your BeyondTrust Appliance. Go to Security > Certificates.
- In the Security :: Other Certificates section, click the Import button.
- Browse to your new certificate file and click Upload.
- Your renewed certificate should now appear in the Security :: Certificates section. This new certificate can be identified by its Expiration, since this will be a later date than the original certificate.
SSL Certificate Auto-Selection
Through the utilization of Server Name Indication (SNI), an extension to the TLS networking protocol, any SSL certificate stored on the appliance is a candidate to be served to any client. Because most TLS clients send Server Name Indication (SNI) information at the start of the handshaking process, this enables the appliance to determine which SSL certificate to send back to a client that requests a connection.
You may choose a default certificate to serve to clients who do not send SNI information with their request, or to clients who do send SNI information, but which does not match anything in the appliance database.
- Go to /appliance > Security > Certificates.
- In the Default column, select the radio button for the certificate you wish to make default.
At this point, the appliance should be fully upgraded and operational with its new certificate. The old certificate may be removed and/or revoked as necessary.