SSL Certificate Requirement

All BeyondTrust software communication occurs via secure, encrypted connections. These rely on the industry standard Secure Sockets Layer (SSL) technology and DNS address of the appliance. Secure Remote Access Appliances ship with a default certificate which secures the initial connection to the 169.254.1.x management address. However, this will not satisfy the requirements of BeyondTrust's client software, which runs more rigorous validation checks than standard web browsers. Therefore, before BeyondTrust can provide you with a fully operational software licensing package, your Secure Remote Access Appliance will need to have a valid SSL certificate installed that matches the DNS A-record you have registered for your appliance.

A valid SSL certificate can be either a certificate authority-signed (CA-signed) SSL certificate or a self-signed SSL certificate. CA-signed certificates are required to fully leverage all of BeyondTrust's functionality (e.g., click-to-chat and mobile clients), but they require that a certificate signing request (CSR) be submitted to the CA. The CSR is an industry standard used by all network devices and software which use SSL. If a CSR/CA-signed certificate is used instead of a self-signed certificate, the CA-signed certificate must be downloaded from the CA's web site (or certificate purchase email) and imported to the Secure Remote Access Appliance from the /appliance interface. In addition to the CA certificate request feature, BeyondTrust includes functionality for obtaining and automatically renewing its own TLS certificates from the open Certificate Authority Let's Encrypt.

For more information on creating and managing SSL certificates in BeyondTrust RS, please see the following articles:

For more information on how BeyondTrust uses SSL certificates as well as detailed configuration steps to request and install certificates in BeyondTrust, see the SSL Certificates Guide.

The section Create an SSL Certificate describes the steps for initial configuration in detail. An overview of the process is given below.

  • Log into the BeyondTrust /appliance interface and create a certificate signing request (CSR) or self-signed certificate.

If the Secure Remote Access Appliance will be using a copy of the certificate from another Secure Remote Access Appliance or server, no CSR or self-signed certificate is necessary. Instead, export the certificate with its private key from the system on which it currently resides and import it to the Secure Remote Access Appliance.

For detailed steps, please see the section Replicate the SSL Certificate on Failover and Atlas Appliances in the SSL Certificates Guide.

  • Send BeyondTrust Technical Support a copy of the SSL root certificate or appliance DNS address. Also send a screenshot of the /appliance > Status > Basics page.

If a self-signed certificate is used, the certificate serves as its own root certificate, and therefore, the self-signed certificate should be sent to BeyondTrust Technical Support. If a CA-signed certificate is used, contact the CA for a copy of their root certificate. If you have trouble contacting the CA, articles to assist with obtaining your root certificate can be found at In either case, BeyondTrust Technical Support will need to know the DNS address of the appliance. If your DNS address is public and the SSL certificate is already installed, Support can retrieve a copy of the root from the public DNS address; in this case, it is not necessary to manually send the root certificate. If you send the SSL certificate, be sure it is in PKCS#7 (.p7b) format or DER (.cer) format. Do not send PKCS#12 (.p12 and .pfx).

Once the above steps are complete, BeyondTrust Technical Support encodes the DNS hostname and SSL root certificate into a new software licensing package, sends it to the BeyondTrust licensing servers for building, and then sends you instructions to install the newly-built package once it is complete.