Copy the SSL Certificate to Privileged Remote Access Failover and Atlas Appliances
BeyondTrust allows you to use additional BeyondTrust Appliances for failover or for load balancing. If you intend to use additional BeyondTrust Appliances in your setup, it is important that each additional appliance is properly secured by an SSL certificate.
In a failover setup, the primary and backup appliances must have identical SSL certificates for failover to be successful. Otherwise, in the event of failover, the backup appliance will be unable to connect to any BeyondTrust software clients. Therefore, you should create a CA-signed certificate that supports each appliance's unique hostname as well as your main BeyondTrust site hostname. Replicate this certificate on both the primary and the backup appliances.
Additionally, if you plan to use an Atlas setup, it is recommended that you use a wildcard certificate that covers both your BeyondTrust site name and each traffic node hostname. If you do not use a wildcard certificate, then adding traffic nodes that use different certificates may require a rebuild of the BeyondTrust software. Therefore, you should create a CA-signed wildcard certificate that supports all of the hostnames used in your Atlas setup. Replicate this certificate on each of your Atlas clustered appliances.
To replicate an SSL certificate, follow the instructions below:
Export the Certificate
- On the primary appliance, log into the /appliance interface. Go to Security > Certificates.
- In the Security :: Certificates section, check the box beside the certificate that is assigned to the active IP address. Then, from the dropdown menu at the top of this section, select Export.
Exporting certificates does not remove them from the appliance.
- On the Security :: Certificates :: Export page, check the options to include the certificate, the private key, and the certificate chain. It is strongly recommended that you set a passphrase for the private key.
Import the Certificate
- On the backup appliance, log into the /appliance interface. Go to Security > Certificates.
- In the Security :: Certificate Installation section, click the Import button.
- Browse to the certificate file you just exported from the primary appliance. If a passphrase was assigned to the file, enter it in the Password field. Then click Upload.
- The imported certificate chain should now appear in the Security :: Certificates section.
- Repeat the import process for each additional clustered appliance.
Update the BeyondTrust Appliance
To insure the reliability of your client software, BeyondTrust Technical Support builds your root certificate into your software. Therefore, any time you import a new root certificate to your BeyondTrust Appliance, you must send to BeyondTrust Technical Support a copy of the new SSL certificate and also a screenshot of your Status > Basics page to identify the appliance being updated.
Do NOT send your private key file (which ends in .p12) to BeyondTrust Technical Support. This key is private because it allows the owner to authenticate your BeyondTrust Appliance's identity. Ensure that the private key and its passphrase are kept in a secure, well-documented location on your private network. If this key is ever exposed to the public (via email, for instance), the security of your appliance is compromised.
- Go to /appliance > Status > Basics and take a screenshot of the page.
- Add the saved screenshot and the all of the SSL certificates files for your certificate chain to a .zip archive. Do NOT include any private key files (e.g., .p12, .pfx, or .key files).
- Compose an email to BeyondTrust Technical Support requesting a software update. Attach the .zip archive containing the certificate files and screenshot. If you have an open incident with Support, include your incident number in the email. Send the email.
- Once BeyondTrust Technical Support has built your new software package, they will email you instructions for how to install it. Update your software following the emailed instructions.
- Repeat the update process for each additional clustered appliance.
After these steps are complete, it is advisable to wait 24-48 hours before proceeding further. This allows time for your BeyondTrust client software (especially Jump Clients) to update themselves with the new certificate which BeyondTrust Technical Support included in your recent software update.
SSL Certificate Auto-Selection
Through the utilization of Server Name Indication (SNI), an extension to the TLS networking protocol, any SSL certificate stored on the appliance is a candidate to be served to any client. Because most TLS clients send Server Name Indication (SNI) information at the start of the handshaking process, this enables the appliance to determine which SSL certificate to send back to a client that requests a connection.
You may choose a default certificate to serve to clients who do not send SNI information with their request, or to clients who do send SNI information, but which does not match anything in the appliance database.
- Go to /appliance > Security > Certificates.
- In the Default column, select the radio button for the certificate you wish to make default.