Security
Certificates: Create and Manage SSL Certificates
Manage SSL certificates, creating self-signed certificates and certificate requests, and importing certificates signed by a certificate authority.
Certificate Installation
The BeyondTrust Appliance comes with a self-signed certificate pre-installed. However, to effectively use your BeyondTrust Appliance, you also need to create a self-signed certificate at minimum, preferably requesting and uploading a certificate signed by a certificate authority.
To create a self-signed certificate or a certificate request
If the certificate being requested is a replacement, you should select the existing key of the certificate being replaced.
If the certificate being requested is a re-key, you should select New Key for the certificate.
For a re-key, all information on the Security :: Certificates :: New Certificate section should be the same as the certificate for which re-key is being requested. A new certificate friendly name should be used so that it is be easy to identify the certificate in the Security :: Certificates section.
Required information for the re-key can be obtained by clicking on the earlier certificate from the list displayed in the Security :: Certificates section.
For a new key or re-key certificate, the steps to import are the same.
In the Name (Common Name) field, enter a descriptive title for your BeyondTrust site.
In the Subject Alternative Names section, enter your BeyondTrust site hostname and click Add. Add a SAN for each DNS name or IP address to be protected by this SSL certificate.
DNS addresses can be entered as fully qualified domain names, such as access.example.com, or as wildcard domain names, such as *.example.com. A wildcard domain name covers multiple subdomains, such as access.example.com, and so forth.
If you intend to obtain a signed certificate from a certificate authority, click Create Certificate Request to create a certificate signing request (CSR). Otherwise, click Create Self-Signed Certificate.
To use a CA-signed certificate, contact a certificate authority of your choice and purchase a new certificate from them using the CSR you created in BeyondTrust. Once the purchase is complete, the CA will send you one or more new certificate files, each of which you must install on the BeyondTrust Appliance.
To download the root certificate for your appliance certificate, check the information sent from your CA for a link to the appropriate root. If there is none, contact the CA to obtain it. If this is impractical, search their website for their root certificate store. This contains all the root certificates of the CA, and all major CAs publish their root store online.
Usually, the easiest way to find the correct root for your certificate is to open the certificate file on your local machine and inspect its "Certification Path" or "Certificate Hierarchy". The root of this hierarchy or path is typically shown at the top of the tree. Locate this root certificate on the root store of your CA's online root store. Once done, download it from the CA's root store and import it to your BeyondTrust Appliance as described above.
If the intermediate and/or root certificates are different from those currently in-use (or if a self-signed certificate was in-use), please request an update from BeyondTrust Technical Support. BeyondTrust Technical Support will need a copy of the new certificate and its intermediate and root certificates.
Certificates
View a table of SSL certificates available on your appliance.
For connections that do not supply a Server Name Indication (SNI) or supply an incorrect SNI, select a default SSL certificate from the list to provide for these connections by clicking the button under the Default column. The default SSL certificate cannot be a self-signed certificate nor the default BeyondTrust Appliance certificate provided for initial installation.
To learn more about SNI, please see Server Name Indication .
To export one or more certificates, check the box for each desired certificate, select Export from the dropdown at the top of the table, and then click Apply.
If you are exporting only one certificate, you immediately can choose to include the certificate, the private key (optionally secured by a passphrase), and/or the certificate chain, depending upon each item’s availability. Click Export to start the download.
If you are exporting multiple certificates, you will have the option to export each certificate individually or in a single PKCS#7 file.
When selecting to export multiple certificates as one file, click Continue to start the download.
To include private keys and/or certificate chains in the export, select individual export and click Continue to view all selected certificates. For each listing, choose to include the certificate, the private key (optionally secured by a passphrase), and/or the certificate chain, depending upon each item’s availability. Click Export to start the download.
The private key should never,or rarely, be exported from an appliance. If it is stolen, an attacker could easily compromise the BeyondTrust site which generated the key. If it does need to be exported, be sure to assign a strong password to the private key.
To delete one or more certificates, check the box for each desired certificate, select Delete from the dropdown at the top of the table, and then click Apply.
Under normal circumstances, a certificate should never be deleted unless it has already been successfully replaced by a working substitute.
To confirm accuracy, review the certificates you wish to delete, and then click Delete.
Certificate Requests
View a table of pending requests for third-party-signed certificates. Click a certificate request name to view details.
The detail view also provides the request data you will give your preferred certificate authority when requesting a signed certificate.
If you are renewing a certificate, use the same certificate Request Data that was used for the original certificate.
To delete one or more certificate requests, check the box for each desired request, select Delete from the dropdown at the top of the table, and then click Apply.
To confirm accuracy, review the certificate requests you wish to delete, and then click Delete.
Keys
View a table of private keys associated with certificates and certificate requests on your appliance. Click a linked certificate name or request name to view details about that associated item.
To delete one or more private keys, check the box for each desired key, select Delete from the dropdown at the top of the table, and then click Apply.
To confirm accuracy, review the private keys you wish to delete, and then click Delete.