DocumentationRelease Notes
Documentation

Install EPM-UL using your certificates

This topic describes how to install and configure Endpoint Privilege Management for Unix and Linux (EPM-UL) 26.1.0 so that it uses your organization’s certificate authority (CA) and certificates, instead of certificates generated and managed by EPM-UL.

This information applies to on-premises, new installations of EPM UL 26.1.0.

Use this topic when:

  • You are deploying EPM-UL 26.1.0 on premises, and
  • Your organization already operates an internal PKI, and
  • Policy requires TLS certificates to be issued by, or chained to, your CA.

Overview of certificate roles

Key roles when using your own CA:

  • Root CA (rootcacert, rootcakey)
    Your enterprise Root or issuing CA that ultimately signs EPM-UL certificates.
  • Server SubCA (sslservercacert, sslservercakey)
    CA that issues EPM-UL server and endpoint certificates (either provided by you or created by EPM-UL and signed by your Root CA).
  • Server certificate and key (sslservercertfile, sslserverkeyfile)
    Used by policy, log, license, and REST servers.
  • Client (endpoint) certificate and key (sslpbruncertfile, sslpbrunkeyfile)
    Used by submit/run hosts.
  • Trusted CA location (sslpbruncadir, sslpbruncafile)
    Directory and optional bundle file of trusted root and intermediate CAs (default /etc/pbcerts).
ℹ️

EPM-UL does not support arbitrary customer self signed endpoint or server certificates. Certificates must chain to a trusted CA.

Installation approaches

You can use your own certificates in two main ways:

  • EPM UL issues certificates under your CA
    You configure your Root CA and/or a SubCA in EPM UL. EPM UL uses this chain to issue and renew server and client certificates.
  • You fully manage certificates outside EPM UL
    Your PKI issues all certificates. You run pbinstall with options that prevent automatic certificate creation and configure EPM UL to use your certificate and CA paths.
    Automatic renewal applies only to certificates that EPM UL creates and manages.

Install the primary server with your own certificates

You can install from the command line or via BIUL (Managing Hosts). The same certificate options apply.

Key pbinstall options

Relevant options when using your own PKI include:

  • -n no: Skips checking and auto creation of default certificates and keys. Use this when you provide your own CA-signed certificates.
  • -H rootcacert=: Specify your Root CA certificate and key (if present on the host).
  • -V sslservercacert=: Specify your server SubCA certificate and key.
  • -k: Allows pbinstall to overwrite existing customer-generated, self-signed certificates with new EPM-UL CA-signed certificates. If your custom certificates are not self-signed, they will not be modified (this option is ignored).

Example: primary server using your Root CA and SubCA

./pbinstall -ierlmguI \
    -Sno \
    -A <appid> \
    -K <appkey> \
    -D <primary-license-host> \
    -P <rest-port> \
    -G <root-ca-fingerprint> \
    -n no \
    -H rootcacert=/etc/mycorp/rootCA.pem \
    -V sslservercacert=/etc/mycorp/pmul-subCA.pem \
    -V sslservercakey=/etc/mycorp/pmul-subCA.key

After installation, configure in pb.settings, for example:

sslservercertfile   /etc/pbssl.pem
sslserverkeyfile    /etc/pbsslkey.pem
sslpbruncadir       /etc/pbcerts
sslpbruncafile      mycorp-root-bundle.pem

Copy your server certificate, key, and CA certificates into the configured locations.

Configure trusted CA locations

Configure the trusted CA directory and (optionally) a bundle file:

sslpbruncadir   /etc/pbcerts
sslpbruncafile  mycorp-root-bundle.pem

Place your Root CA and intermediate CAs into this directory. EPM‑UL maintains hash links as required by the SSL library.

Install additional servers and endpoints

For additional policy/log servers:

  1. Run pbinstall using the same Root CA fingerprint and registration details as the primary server.
  2. Either:
    • Provide pre‑issued server certificates and keys and set sslservercertfile and sslserverkeyfile, or
    • Use pbregister --x509 commands to request server certificates under your SubCA (see the x509 functional specification).

For endpoints:

With pre‑issued client certificates

  1. Install the endpoint certificate and key.
  2. Configure sslpbruncertfile, sslpbrunkeyfile, and trusted CAs (sslpbruncadir / sslpbruncafile).
  3. Run pbinstall with -n no.

With EPM‑UL‑issued endpoint certificates under your CA

  1. Ensure the primary server is configured with your Root CA / SubCA.
  2. Use pbregister --x509 endpointCert as described in the x509 functional specification.
  3. Confirm sslpbruncertfile and sslpbrunkeyfile point to the issued certificate and key.

Mutual TLS and troubleshooting

  • Servers use sslservercertfile / sslserverkeyfile and trust CAs in sslpbruncadir / sslpbruncafile.
  • Endpoints use sslpbruncertfile / sslpbrunkeyfile and trust CAs you configure for server validation.

If certificate chains are incomplete or hostnames do not match, TLS connections may fail. Review pbmasterd.log and pbrest.log for details.

Updated 1 day ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.