SSL Certificate Requirements for the BeyondTrust Appliance B Series

All BeyondTrust software communication occurs via secure, encrypted connections. These rely on the industry standard Secure Sockets Layer (SSL) technology and DNS address of the B Series Appliance.

While the default B Series Appliance certificate secures all connections on all IP addresses, the BeyondTrust client software requires more rigorous validation checks than standard web browsers. Before BeyondTrust can provide you with the complete software licensing package, your B Series Appliance must have a valid SSL certificate installed that matches the DNS A-record you have registered for your B Series Appliance.

Certificate Requirements

Valid SSL certificates can be either certificate authority-signed (CA-signed) or self-signed. A CA-signed certificate is required to access all of BeyondTrust's functionality (e.g., click-to-chat and mobile clients).

  • To receive a CA-signed certificate, a certificate signing request (CSR) must be submitted to a certificate authority.
  • The CA-signed certificate must be downloaded from the certificate authority's web site (or certificate purchase email) and imported to the B Series Appliance from the /appliance interface.

In addition to the CA certificate request feature, BeyondTrust includes functionality for obtaining and automatically renewing its own TLS certificates from the open Certificate Authority Let's Encrypt. Detailed instructions can be found in Certificates: Create and Manage SSL Certificates.

For more information on creating and managing SSL certificates in BeyondTrust PRA, please see the following articles:

For more information on how BeyondTrust uses SSL certificates, as well as detailed configuration steps to request and install certificates in BeyondTrust, please see the SSL Certificates Guide.

Create a New Certificate

The Create an SSL Certificate guide describes the steps for initial configuration in detail. An overview of the process is given below.

  1. Log into the BeyondTrust /appliance interface, and create a certificate signing request (CSR) or self-signed certificate.

    If the B Series Appliance will be using a copy of the certificate from another B Series Appliance or server, no CSR or self-signed certificate is necessary. Instead, export the certificate with its private key from the system on which it currently resides and import it to the B Series Appliance. For detailed steps, see the section Replicate the SSL Certificate on Failover and Atlas B Series Appliances in the SSL Certificates Guide.

  2. Assign the new certificate to the IP address(es) of the B Series Appliance.
  3. Send BeyondTrust Technical Support a copy of the SSL root certificate and/or B Series Appliance DNS address.

    If a self-signed certificate is used, the certificate serves as its own root certificate, and therefore, the self-signed certificate should be sent to BeyondTrust Technical Support. If a CA-signed certificate is used, contact the CA for a copy of their root certificate. If you have trouble contacting the CA, articles to assist with obtaining your root certificate can be found at beyondtrustcorp.service-now.com/csm. In either case, BeyondTrust Technical Support will need to know the DNS address of the B Series Appliance. If your DNS address is public and the SSL certificate is already installed, Support can retrieve a copy of the root from the public DNS address; in this case, it is not necessary to manually send the root certificate.

Once the above steps are complete, BeyondTrust Technical Support encodes the DNS hostname and SSL root certificate into a new software licensing package, sends it to the BeyondTrust licensing servers for building, and then sends you instructions to install the newly-built package once it is complete.