Documentation

Settings

Suggest Edits

From the Settings page, you can configure the following:

  • Console Access: Add new users and groups to BeyondInsight for Unix & Linux (BIUL).
  • Roles: Manage the assignment of roles to users.
  • Software: Manage BeyondTrust software versions.
  • System: Manage BIUL settings.
  • Directory Services: Manage directory services connections.
  • SIEM Connections: Manage SIEM Elasticsearch and Logstash connections.
  • Integration: Manage integration settings for external BeyondTrust integrations.
  • Certificates: Manage certificates.

BIUL settings

Deployment settings

To configure deployment settings:

  1. Select the Settings menu.
  2. Click System.
  3. Set the Remote Working Directory for deployments. For example, /tmp.
  4. Enable or disable Verify SSH Fingerprints to verify if a host is trusted by BIUL by default upon discovery.
  5. Click Save Settings.

Authentication timeout settings

The following options are available to configure Authentication Timeout Settings for the BIUL console. The settings are specified in minutes.

  1. Select the Settings menu.
  2. Click System.
  3. Set values for the following timeout settings:
    • Total Session Length
    • Session Timeout Warning
    • Total Idle Length
    • Idle Timeout Warning
  4. Click Save Settings.

Application settings

Configure application settings if you want to use the password reset feature available on the BIUL logon page.

ℹ️

Note

Enforce Email Verification is not available if there are no users with the sysadmin role or accountadmin role with a verified email, or if the currently logged on user has not verified their address. This is to prevent a lockout.

  1. Select the Settings menu.
  2. Click System.
  3. Enter the base URL for BIUL. For a standalone deployment with default port, the URL is https://:4443/. On the BeyondTrust appliance, the URL is https:///pbsmc/. The BIUL URL is required for password reset and email verification; the URL is used to format links in emails.
  4. (Optional). Check the box to turn on Enforce Email Verification. When this setting is turned on, BIUL users must have verified email addresses to authenticate. When the email account is verified and authenticated, the password reset link on the logon page is available to the user.
  5. (Optional). Check the box to Disable System Provided Certificate Authority. When BIUL is turned on we create a signing authority, and then sign our own certificates for use with things like solr.Use this option when you are using signed certificates, and specifically do not want to use our authority at all.
  6. Click Save Settings.

User lockout settings

A user can try to log on five times (the default value) before the account is locked out. The default lockout period is 30 minutes. You can change the default settings

Lockout settings are on by default.

To change default lockout settings:

  1. Select the Settings menu.
  2. Click System.
  3. Set the number of attempts the user can try to logon. The default is 5.
  4. Set the authentication window for logon attempts. This is the length of time the user can try to logon. The default is 5 minutes.
  5. Set the user lockout period. The default is 30 minutes.
  6. Click Save Settings.

An administrator can unlock a user account on the User Details page in the Console Access. Select the user and click Unlock User.

Set up password reset

A Reset Password link is available on the BIUL logon page. A local user must verify their email address to use the password reset feature. Verifying the email address must be completed (regardless of whether the account verification is enabled).

ℹ️

Note

The password reset feature is not available to directory service users.

To use the Reset Password link for local accounts, the following must be in place:

  • SMTP settings must be configured for your mail server. If the SMTP server is not configured the Send Verification Email option is not available.
  • Application settings must be configured.
  • The email address for your BIUL account must be verified and authenticated. Only after the address is verified can it be used to reset a password.

A BIUL administrator can send a verification email.

To send an email verification:

  1. Click the Settings menu, and then click Console Access.
  2. Click the Users tab.
  3. Click the edit icon for a local user account to display the User Details page.
  4. Click Send Verification Email.

The user receiving the verification email must click the link and provide credentials to authenticate the account. After this authentication the email account is verified and can be used in a password reset.

Add a directory service

BeyondInsight for Unix & Linux (BIUL) supports connections to the following directory service providers:

  • Active Directory
  • Red Hat Identity Management (IdM)/FreeIPA
  • OpenLDAP

More than one directory service provider can be configured in the same deployment.

In some cases, the connection type might be set to Unknown. This can occur if the data existed previous to BIUL 9.4. The connection will work. However, we recommend selecting the appropriate connection type from the list.

To add a connection:

  1. Select the Settings menu, and then click Directory Services.
  2. Click Add Connection.
  3. Select the connection type from the list.
  4. Select the settings for the connection, including domain, user credentials, and port. Ensure the correct format is used for the user names.
    • Active Directory: Enter the user name in the user principal name (UPN) format (admin@domain) or in the sAMAccountName format (domain@admin).
    • IdM and OpenLDAP: Enter the user name in bind DN format (cn=admin,dc=domain,dc=tes).
  5. (Optional). Click Test Settings to ensure the connection between BIUL and the directory service works.
  6. Click Save Directory Service Settings.

Delete a directory connection

  1. Select the Settings menu, and then click Directory Services.
  2. Select a connection.
  3. Click Delete Connection.
  4. Click Delete to confirm.

BIUL console access

You can add and manage user accounts and groups in the console.

Add a local user account

  1. Select the Settings menu.
  2. Click the Console Access tile.
  3. Click the Users tab, and then click Add Users.
  4. Click Add > Local User.
  5. Enter the following information:
    • Enabled: Enable or disable the user account.
    • Username: This will be used to authenticate the account in the console and must be unique in the system. Once the Username has been saved, it cannot be changed.
    • First Name: The user's first name.
    • Last Name: The user's last name.
    • Email: The user's email address.
    • Password: The user's password. Used to authenticate the account in the console. Must be at least 8 characters.
    • Confirm Password: Must match the Password value.
  6. Click Create User.

Assign a role to a user account

  1. Select the Settings menu.
  2. Click the Console Access tile.
  3. In the Console Access list, click the Users tab.
  4. Click the edit icon for a local user account to display the Edit User Details page.
  5. On the User Details panel, click Roles.
  6. Select from the following roles:
    • System Administrator
    • API User
    • Auditor
    • Account Administrator
    • Policy Administrator
    • Software Administrator

Update a local user account

  1. Select the Settings menu.
  2. Click the Console Access tile.
  3. In the Console Access list, click the Users tab.
  4. Click the edit icon for a local user account to display the Edit User Details page.
  5. On the User Details panel, click Details (by default, this option is displayed). The following configuration options are available:
    • Enable User: Enable or disable the user account.
    • First Name: The user's first name.
    • Last Name: The user's last name.
    • Email: The user's email address.
  6. Click Save User.

Update password for a local user account

  1. Select the Settings menu.
  2. Click the Console Access tile.
  3. In the Console Access list, click the Users tab.
  4. Click the edit icon for a local user account to display the Edit User Details page.
  5. On the User Details panel, click Authentication.
  6. Change the password, and then click Update Password.

Delete a local user account

  1. Select the Settings menu.
  2. Click the Console Access tile.
  3. In the Console Access list, click the Users tab.
  4. Click the edit icon for a local user account to display the Edit User Details page.
  5. Click the trashcan icon, and then click OK to confirm the deletion.

Add a Directory services user

  1. Select the Settings menu.
  2. Click the Console Access tile.
  3. In the Console Access list, click the Users tab.
  4. Click Add Users.
  5. From the Add list, select Directory services.
  6. Select the Directory services Forest and Domain.
  7. To search in an organizational unit (OU), click Browse and select an OU.
  8. In the Search for box, enter the search criteria for the Directory services object. To help narrow the search, from the list at the right, you can select a Query Type.
  9. Click Search Directory Service. Search results are displayed.
  10. Select the user or group from the search results and it is added to the Console Access list.

ℹ️

Note

The user is enabled or disabled depending on the Directory services configuration. The object configuration must be updated using Directory services.

Add a Directory services group

You can only add a group already created in Directory services. The group is enabled or disabled depending on the Directory services configuration. The object configuration must be updated using Directory services.

  1. Select the Settings menu.
  2. Click the Console Access tile.
  3. In the Console Access list, click the Groups tab.
  4. Click Add Groups.
  5. Select the Directory services Forest and Domain.
  6. To search in an organizational unit (OU), click Browse and select an OU.
  7. In Search for, enter the search criteria for the Directory Services object. To help narrow the search, from the list at the right, you can select a Query Type.
  8. Click Search Directory service. Search results are displayed.
  9. Select the group from the search results and it is added to the Console Access list.

Assign a role to a group

  1. Select the Settings menu.
  2. Click the Console Access tile.
  3. In the Console Access list, click the Groups tab.
  4. Click the edit icon for a group to display the Group Details page.
  5. Select the Roles tab.
  6. Select from the following roles:
    • System Administrator
    • API User
    • Auditor
    • Account Administrator
    • Policy Administrator
    • Software Administrator

Delete a Directory services user or group

  1. Select the Settings menu.
  2. Click the Console Access tile.
  3. In the Console Access list, click the Users or Groups tab.
  4. Click the edit icon for a local user account or group to display the Edit User/Group Details page.
  5. Click the trashcan icon, and then click OK to confirm the deletion.

Unlock a user account

  1. Select the Settings menu.
  2. Click the Console Access tile.
  3. In the Console Access list, click the Users tab.
  4. Find the user account in the list, and then click the edit icon.
  5. Click Unlock User.

Configure role-based access

Access control provides a role-based system to authenticate users in BeyondInsight for Unix & Linux (BIUL). Users are assigned roles based on the level of access they need to do their BIUL job functions.

Areas in the console require certain permissions. If a user is not assigned those permissions, then they cannot access those features in the console. For example, the policyadmin role is required for an authenticated user to interact with policy.

Roles can be assigned to either a user account or a group.

ℹ️

Note

The account created during the first run wizard is assigned the sysadmin role. This role has full privileges in the system.

The following roles are available:

  • sysadmin: All roles; can do everything
  • policyadmin: Full access to policy management
  • softwareadmin: Full access to software management (deploy software, remove, etc.)
  • auditor: Full access to log features
  • accountadmin: Full access to controlling console access
  • apiuser: Full access to using the public REST API

Full access to the entitlement gives the user or group the following permission attributes: create, view, update, and delete.

You can assign roles in two ways:

  • On the Settings > Console Access > Users page. Provision roles on the details page for users and groups.
  • On the Settings > Roles > Users page. See the following sections for details.

Assign a role to user accounts

  1. Click Settings > Roles.
  2. Select a role from the list.
  3. Click the Users tab.
  4. Click the Users without this role button to see users that do not currently have this role.
  5. Check the boxes for users you want to add.
  6. Click Add Selected Users.

Assign a role to groups

  1. Select Settings > Roles.
  2. Select a role from the list.
  3. Click the Groups tab.
  4. Click the Groups without this role button to see groups that do not currently have this role.
  5. Check the boxes for groups you want to add.
  6. Click Add Selected Groups.

Integrate Password Safe with BIUL

Use Password Safe to manage credentials

You can use Password Safe to manage credentials. Then, when you run actions on your hosts, passwords are retrieved at runtime from Password Safe rather than storing the passwords locally.

This section provides Password Safe configuration information within the console.

ℹ️

Note

For more information on configuring Password Safe, see BeyondTrust Password Safe Guides.

Configure Password Safe

Configure the settings for the Password Safe server. To configure the Password Safe integration:

  1. In the console, select the Settings menu.
  2. Click Integration.
  3. Enter the following information:
    • Password Safe Server: The location of the Password Safe server. Do not add a trailing slash. For example, https://pbps_server.
    • API Key: The API key generated in BeyondInsight.
    • RunAs User: The BeyondInsight account under which the requests will be made. This Password Safe user must be in a User Group with API access and with an access policy that has auto-approve enabled for access.
    • Description: A text entry to provide any additional details (optional).
    • Verify certificate: Disabling this option bypasses certificate validation. 
  4. (Optional). To ensure the connection works, click Test Settings.
  5. Click Save Settings.

Import Password Safe managed accounts

A Password Safe managed account must be imported as a BeyondInsight for Unix & Linux (BIUL) credential.

ℹ️

Note

Password Safe account details such as username and password cannot be changed in BIUL. These details are read-only values. The password is managed by Password Safe and retrieved dynamically.

To import a managed account:

  1. In the console, go to Hosts > Host Credentials.
  2. Click Manage Credentials and select Import from Password Safe.
  3. Select the managed accounts from the list of results the console can access and click Import Selected. You can filter the managed accounts by Username and Description. Imported accounts are displayed on the Credentials page.

ℹ️

Note

A status 200 might be displayed if the selected managed account already exists as a console credential.


Example

The following example is intended to provide a high-level configuration and is provided only as an overview.

In this example, the goal is to use an account called biul_user on a host at 10.100.10.10 to perform a Profile Servers action. BeyondInsight/Password Safe is running at https://my_pbps.

  1. Enable biul_user in the Password Safe API:
    1. In BeyondInsight, add the 10.100.10.10 asset if required.
    2. Choose the Add/Edit Password Safe option for 10.100.10.10 in the Assets grid.
    3. On the Local Accounts tab, select Add, and then provide the details for biul_user.
    4. Ensure the Enable for API Access option is selected.
  2. Get an API Key and add BeyondInsight for Unix & Linux to the allowlist:
    1. In BeyondInsight, go to Configure > Password Safe > Application API Registration.
    2. Create a new registration.
    3. Add the BIUL IP address to the source addresses list.
    4. Disable the certificate required option.
    5. An API key is generated when the registration is saved. This key is used in console.
  3. Configure an Access Policy in BeyondInsight:
    1. Go to Configure > Password Safe > Access Policies.
    2. Create a policy.
    3. In the Access section, ensure Approvers is set to auto-approve.
  4. Configure an API User Group in BeyondInsight:
    1. Go to Configure > Accounts.
    2. Create a group. Ensure Enable API Application is selected and the registered application is selected.
    3. In Smart Rules, select the Roles option for the All Managed Accounts rule.
    4. Choose Requestor under Password Safe.
    5. Select the access policy created earlier as the access policy.
  5. Create an API User in BeyondInsight:
    1. Go to Configure > Accounts, and add an account.
    2. Ensure it belongs to the group created earlier.
  6. Configure Password Safe in BIUL:
    1. Go to Settings > Integration.
    2. Enter the details for the Password Safe server. The API Key was obtained in step 2 and the RunAs User is the account created in step 5. The URL would be https://my_pbps.
  7. Add biul_user to BIUL:
    1. Go to Hosts > Credentials.
    2. Click Add Credential and select Import from Password Safe.
    3. In the list, select biul_user.
    4. Click Import Selected. The imported account is displayed on the Credentials page.
  8. Use the biul_user in the console:
    1. From the Hosts > Host Inventory page, choose Perform an Action > Profile Servers,
    2. Select a host, and select Perform Host Actions from the menu.
    3. Select Endpoint Privilege Management for Unix and Linux, and then select Profile.
    4. On the Credential Management page, select the biul_user.
    5. Go through the remaining pages on the Perform Host Actions wizard.

Configure the EPM-UL integration

Upload key files to confirm the files on the host are synchronized with the keys used by the console.

ℹ️

Note

If no key files are present, the console creates them during the next installation of Endpoint Privilege Management for Unix and Linux (EPM-UL) for versions 9.4.5 and later.

To configure EPM-UL:

  1. In the console, select the Settings menu, then click Integration.
  2. If you do not want to verify certificates, turn on Bypass SSL certificate validation.
  3. Choose whether to enable or disable Role entitlement reporting by default.
  4. Choose whether to enable or disable Prevent role entitlement reporting override. When the toggle is enabled, all new role based policies will default to entitlement reporting enabled, or vice versa if set to false. The setting can be locked so the default value is both set and unchangeable per policy. This is for new policies only; disabling entitlement reporting will not change the values for existing policies.
  5. Upload network or REST key files to the console.

Manage software

View software managed by BeyondInsight for Unix & Linux

The Settings > Software page lists the software managed by BeyondInsight for Unix & Linux (BIUL). Basic information includes:

  • Product name
  • Visual indication the software is present (green dot) or not (gray dot)
  • Version currently installed
  • Location of the software

To update the list, click the Refresh icon.

View software details

On the Settings > Software page, you can get more detailed information for each software product listed. To view details on specific software, at the far right of the software listing, click the vertical ellipsis menu icon, and then select View Details. The Installers side panel appears at the right of the software product table. The panel list is scrollable.

To view details for a different product, click the vertical ellipsis on that product's row. The Installers side panel displays the new product information.

To close the panel, at the top-right of the panel, click the X button.

Upload software packages

You can upload Endpoint Privilege Management for Unix and Linux (EPM-UL) and AD Bridge software packages on the Software page.

EPM-UL installation templates

Use installation templates to apply different components to an EPM-UL server.

Some templates are preset and read-only:

  • All components
  • License Server only
  • Policy and Log Server
  • Submit and Run Host Only
  • Primary Registry Server and All Components

Apply an installation template when running the Host Actions wizard for an EPM-UL install.

Create an EPM-UL installation template

You can create a custom EPM-UL installation template. For example, you might want a template to only install the log server feature. Create a template called Log Server and select only Install Log Server.

ℹ️

Note

You can select an existing template and click Clone to start with a base configuration for a new template.

To create an installation template:

  1. Go to the Settings > Software page.
  2. At the far right of the Endpoint Privilege Management for Unix and Linux row, click the vertical ellipsis menu icon, and then select Manage Installation Templates.
  3. Click Add New Template.
  4. Enter a Name for the template, and then click Create.
  5. Select the template options. The template settings are automatically saved.

Clone an EPM-UL installation template

You might want to clone an EPM-UL installation template in order to make a backup of an existing one, or use it as a template to create a new one.

To clone an installation template:

  1. On the Installation Templates panel, select a template, and then click Clone.
  2. Enter a Name for the template, and then click Create.
  3. Select the template options. The template settings are automatically saved.

Delete an EPM-UL installation template

To delete an installation template:

  1. On the Installation Templates panel, select a template.
  2. Click Delete, and then click OK to confirm.

AD Bridge join templates

To reduce data entry when joining the host to an Azure tenant application, use AD Bridge (ADB) join templates. When joining a specific host to the tenant, select the template to populate the tenant ID, application, and license key fields automatically.

To create an ADB join template:

  1. Select Settings > Software.
  2. At the far right of theAD Bridge row, click the vertical ellipsis menu icon, and then select Manage Join Templates.
  3. Click Add New Template.
  4. Enter a Name and Description for the template.
  5. Enter the Tenant ID, Application ID, and AD Bridge License Key.
  6. Click Create. The template is added to the list on the left.

When using the template, you must still provide an application secret.

Update an AD Bridge join template

To update an existing ADB join template:

  1. On the AD Bridge Join Templates panel, select the template to update.
  2. Update the information for the template.
  3. Click Update.

Delete an AD Bridge join template

To delete an existing ADB join template:

  1. On the AD Bridge Join Templates panel, select the template to delete.
  2. Click Delete, and then click OK to confirm.

SIEM connections

You can set up SIEM connections to integrate with Endpoint Privilege Management for Unix and Linux (EPM-UL) and AD Bridge events. The available connection types are Elasticsearch and Logstash.

⚠️

Important

You can have only one Elasticsearch type connection.

Add a SIEM connection

  1. On the sidebar menu, click Settings > SIEM Connections.
  2. In the SIEM Connections left panel, click Add Connection.
  3. On the Create New SIEM Connection page, select the SIEM connection type.
  4. In the SIEM Connection Details section, enter a name and URL for the connection.
  5. Optionally, check the box to verify the certificate for the connection. You can use this option in the case of unknown signer, for example, if a self-signed certificate is in use.

For an Elasticsearch connection type:

  1. In the Elasticsearch Connection Details section, select a credential type from the list: Username and Password or API Key.
  2. Depending on the credential type you select, enter the following:
    • Username and Password
    • API ID and API Key
    • Cloud ID
  3. You can leave the Optional Search Index Patterns Overrides section fields as is, because there are default pattern values. Optionally, enter the following:
    • EPM-UL Index Patterns
    • EPM-UL Session Replay Index Patterns
    • AD Bridge Index Patterns
  4. Proceed to the "To complete the process for either connection type" section (after the Logstash section, next).

ℹ️

Note

You can define the location of an Elasticsearch instance using two methods within BIUL:

  • Directly specifying the URL of the Elasticsearch instance. This method specifies the location of Elasticsearch but contains no information about the location of Kibana.
  • Providing a CloudID identifying the Elasticsearch instance. This method encodes the locations of both Elasticsearch and Kibana. Only connections using CloudID can identify the location to deploy the Kibana dashboard.

For a Logstash connection type:

  1. Click the Information icon (next to Logstash Connection Details) to see sample configuration examples, and additional pipelines information
  2. In the Logstash Connection Details section, enter a Username and Password.

To complete the process for either connection type:

  1. In the BeyondInsight for Unix & Linux Logging section, select the logging option(s), to send BIUL Console Audit Data, System Logs, or Task Logs to the SIEM. When enabled, data that is regularly stored in the local log file or BIUL database is additionally forwarded to the elastic connection. This data is in the elastic common schema format. The data is then available via a grid in the Audit > Unified Search > BeyondInsight for Unix & Linux section.
  2. Optionally, to test your updated settings and connection, click Test Settings, and check for the success message.
  3. Click Save SIEM Connection.

Edit a SIEM connection

You can change the settings for an existing SIEM connection.

  1. On the sidebar menu, click Settings > SIEM Connections.
  2. In the SIEM Connections list, select a connection.
  3. On the Edit SIEM Connection page, make your modifications, and then click Save SIEM Connection.
  4. Optionally, to test your updated settings and connection, click Test Settings.

Deploy a Kibana dashboard

Connections using CloudID can identify the location to deploy the Kibana dashboard.

To deploy a Kibana dashboard, you must:

  • Configure Elasticsearch in BIUL.
  • Associate a Kibana instance with the Elasticsearch instance.
  • Connect to your Elasticsearch instance using a CloudID.

To deploy a Kibana dashboard using BIUL:

  1. On the sidebar menu, click Settings > SIEM Connections.

  2. In the SIEM Connections list, select your Elasticsearch connection.

  3. On the Edit SIEM Connection page, click to open the Elasticsearch Connection Details.

  4. Click Deploy Dashboard.

  5. The Kibana Dashboard URL appears.

  6. Click the link to access the Kibana dashboard.

ℹ️

Note

This is a prebuilt Kibana dashboard layout defined by BeyondTrust. The dashboard provides a few visualizations relevant to BeyondTrust products, including AD Bridge authentication events and EPM-UL policy events.

Delete a SIEM connection

To delete an existing SIEM connection:

  1. On the sidebar menu, click Settings > SIEM Connections.
  2. In the SIEM Connections list, select a connection.
  3. On the Edit SIEM Connection page, at the far right, click Delete Connection.
  4. To confirm the deletion, click Delete.

Add SMTP server connection

To provide local BeyondInsight for Unix & Linux (BIUL) users access to the Reset Password link on the BIUL logon page, add SMTP server details. Using the password reset feature requires a verified email address.

⚠️

Important

The configured SMTP server must support encrypted sessions. The protocols to be supported by the SMTP Server are STARTTLS and TLS.

  1. Select the Settings menu.
  2. Click the Integration tile.
  3. Enter the information for the mail server, including: server address, port, and user credentials.
  4. (Optional). Click Test Settings to ensure there is a connection to the mail server.
  5. Click Save Settings.

Certificates

On the Manage Certificates page, you can:

  • Add certificate authorities (CA) to the BeyondInsight for Unix & Linux (BIUL) trusted certificate pool
  • Upload server and client certificates for remote connections
  • Generate certificate signing requests

The CA and TLS certificates generated by BIUL are created during the application’s lifecycle, using the system supplied cryptographically secure PRNG for entropy.

The CA is unique per installation.

⚠️

Important

The SSL certificate for the BIUL cannot be updated or deleted from the Manage Certificates page.

Add a certificate authority

An uploaded CA is added to the BIUL trusted certificate pool.

When BIUL connects to a remote service, a trusted CA in the BIUL database is added to the trusted certificate pool for that connection.

To add a CA:

  1. Go to Settings > Certificates.
  2. Click Add Certificate > Upload a Certificate Authority.
  3. Click the upload arrow and navigate to the .PEM file location.
  4. Click Upload File.

A CA can be removed when no longer required.

An uploaded CA is added to Solr during deployment or adoption actions for the Solr instance.

ℹ️

Note

As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.


Upload certificates

When deploying a Solr instance or assigning a log server, BIUL searches the host for a certificate with the same name (wildcards supported). If found, that certificate is used for the host. Otherwise, BIUL generates a certificate using the BIUL CA.

  1. Go to Settings > Certificates.
  2. Click Add Certificate > Upload Existing Certificate.
  3. Select the host to copy the certificate to.
  4. Select a certificate type.
  5. Click the upload arrow and navigate to the certificate file location.
  6. Click Upload Files.

Create a certificate signing request

You can create a request to sign a certificate by a CA. After the certificate is signed, you can upload to the host.

To request a signed certifcate:

  1. Go to Settings > Certificates.
  2. Click Add Certificate > Create Certificate Signing Requests.
  3. Fill out the form with details, including host, common name, organization, and organization email.
  4. Select a certificate type: client or server.
  5. Select a SAN type: DNS Name, IP address, or email address.
  6. Click Create.
  7. After the request is created, you can view the Pending status for the request.
  8. At the far right of the certificate row, click the vertical ellipsis menu icon and select Certificate Details.
  9. Click Download as PEM. After the certificate is signed, upload the certificate to complete the request.

Certificate expiry

A warning icon indicates a certificate is expiring soon or is already expired.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.