DocumentationRelease Notes
Log In
Documentation

SSL certificate setup

Suggest Edits

What is an SSL certificate?

An SSL certificate (Secure Sockets Layer) is a digital certificate installed on your appliance to secure communications between the appliance and its users. It encrypts data transferred over the network, such as login credentials and session details, ensuring that sensitive information remains private and protected from interception. SSL certificates also validate the identity of the appliance, providing users with assurance that they are connecting to a trusted, authentic server. Properly configuring an SSL certificate on your appliance is essential for maintaining secure and compliant remote access operations.

Why do I need an SSL certificate on my appliance?

Before BeyondTrust can provide your custom software package, your appliance must have a valid SSL certificate installed. When properly installed, an SSL certificate validates the identity of your BeyondTrust site and enables secure, encrypted connections for software like web browsers and BeyondTrust clients. This ensures that data transmitted between the appliance and users is protected from interception, maintaining the integrity and confidentiality of your support and access sessions.

What is a certificate authority?

A certificate authority acts to store, sign, and issue SSL certificates, allowing clients to establish secure, encrypted connections to your BeyondTrust site.

While a CA-signed certificate is the best way to secure your site, a self-signed certificate or an internally-signed certificate will allow temporary access for testing or deployment.

What do they send to you?

Once you send a certificate authority the request data, they review, sign, and return the certificate to you, often with root and/or intermediate certificate files. These make up your certificate chain, which proves your certificate was issued by the CA. The certificate chain typically includes three types of certificate:

  • Root Certificate - The certificate that identifies the certificate authority.
  • Intermediate Root Certificates - Certificates digitally signed and issued by an Intermediate CA, also called a Signing CA or Subordinate CA.
  • Identity Certificate - A certificate that links a public key value to a real-world entity such as a person, a computer, or a web server.

All of these certificate files must be imported to your appliance before it is completely operational.

Let's Encrypt™

  • Let's Encrypt™ issues signed certificates that are valid for 90 days at a time, and can automatically renew themselves indefinitely. To request or renew a Let's Encrypt certificate, you must meet the following requirements:
    • The DNS for the hostname you are requesting must resolve to your appliance.
    • Your appliance must be able to reach Let's Encrypt on TCP 443.
    • Let's Encrypt must be able to reach your appliance on TCP 80.
    • Because DNS can apply only to one appliance at a time, and because your appliance must be assigned the DNS hostname for which it makes a certificate request or renewal request, we recommend that you avoid use of Let's Encrypt certificates for failover appliance pairs.
    • Your appliance must be able to reach apps.identrust.com on TCP 80 (Outbound).

Requirements

1. A valid SSL certificate signed by a third-party certificate authority (CA-signed certificate)

To ensure full functionality of the BeyondTrust software and to avoid security risks, you must have a valid SSL certificate signed by a third-party certificate authority (CA) installed.

  • Private keys Installing the new certificate in BeyondTrust automatically links a private key to the new certificate, making the appliance ready to decrypt traffic from remote clients such as representative consoles and web browsers. The private key and its certificate can be transferred between servers (e.g., from an IIS server to your appliance), but if it is ever lost, decryption is impossible, the appliance is unable to validate its integrity, and the certificate must be replaced.
  • Software clients requiring a CA-signed certificate BeyondTrust software clients which require the heightened security of a CA-signed certificate include: - iOS and Android representative console - Linux software clients (representative consoles, endpoint clients)
  • Valid certificate types

    BeyondTrust does not require any special type of certificate and allows both commercial or public certificate authority and internal CA servers. Accepted certificates include:

    • Wildcard certificates
    • Subject Alternative Name (SAN) certificates
    • Unified Communications (UC) certificates
    • Extended Validation (EV) certificates
    • Other standard certificates
  • About the Let's Encrypt certificate BeyondTrust also provides support for requesting a Let's Encrypt certificate directly from your appliance. Let's Encrypt issues signed certificates that are valid for 90 days at a time, and can automatically renew themselves indefinitely.

⚠️

Warning

Without an SSL certificate that matches your BeyondTrust site's hostname, your users will experience security errors. If your site uses the factory default or a self-signed certificate, users attempting to access your BeyondTrust site will receive an error message warning them that your site is untrusted, and some software clients may not function.

2. Self-signed certificates for testing/installations

You can use temporary, self-signed certificates for testing or installations. Using a self-signed certificate in a production environment does not provide the security of a CA-signed certificate, and users attempting to access your BeyondTrust site will receive an error message warning them that your site is untrusted.

Use an SSL certificate signed by a certificate authority

Add a Let's Encrypt certificate

ℹ️

This is an optional step. The use of Let's Encrypt certificates are not mandated by BeyondTrust.

  1. In your appliance web interface, open the Security page.
  2. In the Let's Encrypt™ Certificates section, in the Hostname field, enter the fully qualified domain name (FQDN) for your appliance
  3. Select the certificate key type.
  4. Click Request.
    Let's Encrypt runs a validity test, and once completed, provides a certificate that automatically renews every 90 days.

⚠️

Important information

Your appliance starts the certificate renewal process 30 days before the certificate is due to expire and requires the same process as the original request process does. If it is unsuccessful 25 days prior to expiry, your appliance sends daily admin email alerts (if email notifications are enabled), and the status displays the certificate in an error state.

Add a non-Let's Encrypt SSL certificate signed by a third-party CA

ℹ️

Before you begin

When using a CA issuer other than Let's Encrypt, you must create the certificate in your appliance, then submit a certificate signing request (CSR) to your CA for it.

The data associated with the CSR contains the details about your organization and BeyondTrust site. The CA can then publicly certify your organization and your appliance.

1. Create the certificate in your appliance.

  1. Log in to your appliance's web interface.

  2. Open the Security > Certificates page.

  3. Create the certificate with the following information:

    • Certificate Friendly Name: A descriptive title used to identify your certificate request on your appliance's Security > Certificates page (for example, your primary DNS name or the current month and year).
    • Key: Select a key size from the dropdown. Verify which key strengths your certificate authority supports.
      • Larger key sizes may require more processing overhead and may not be supported by older systems.
      • Smaller key sizes may become obsolete or insecure sooner than larger ones.
    • Subject Name: The contact information for the organization and department creating the certificate, along with the name of the certificate.
    • Country: The two-character ISO 3166 country code for your organization. If you are unsure of your country code, please visit www.iso.org/iso-3166-country-codes.html.
    • City (Locality): The city of your organization.
    • Organization: Your organization or company name.
    • Organizational Unit: The group or department within the organization managing the certificate and/or the BeyondTrust deployment.
    • Name (Common Name): A human-readable title for your certificate.
      • This name must be unique to differentiate the certificate from others on the network, which could include the public internet.
      • We do not recommend you use your DNS name as the common name, but some certificate authorities may require you to use your fully qualified DNS name for backward compatibility. Contact your certificate authority for details.
    • Subject Alternative Names: A list of the fully qualified domain names for each DNS A-record that resolves to your appliance (for example, support.example.com). After entering each subject alternative name (SAN), click Add.
      • A SAN protects multiple hostnames with a single SSL certificate.
      • A DNS address could be a fully qualified domain name, such as support.example.com, or it could be a wildcard domain name, such as *.example.com.
      • A wildcard domain name covers multiple subdomains.
        • If you use multiple hostnames for your site that are not covered by a wildcard certificate, define those as additional SANs.

    📘

    Notes

    • If you entered the fully qualified domain name as your subject's common name, you must re-enter this as the first SAN entry. If you wish to use IP addresses instead of DNS names, contact BeyondTrust Technical Support.
    • If you plan to use multiple appliances in an Atlas setup, we recommend using a wildcard certificate that covers both your BeyondTrust site hostname and each traffic node hostname.
      • If you do not use a wildcard certificate, adding traffic nodes that use different certificates requires a rebuild of the BeyondTrust software.

  4. Click Create Certificate Request and wait for the page to refresh.
    The certificate displays in the Certificate Requests section.

2. Submit the certificate signing request to your CA.
  1. When prompted to submit the request information, log in to your appliance's web interface.
  2. Open the Security > Certificates page.
  3. In the Certificate Requests section, click the subject of your certificate request.
  4. Select and copy the Request Data,.
  5. Submit this information to your certificate authority.
    Some certificate authorities require you to specify the type of server the certificate is for. If this is a required field, submit that the server is Apache-compatible. If given more than one Apache type as options, select Apache/ModSSL or Apache (Linux).
3. Import the certificate.

ℹ️

Before you begin

  • Ensure you've received all files back from your CA.
  • Download all of the certificate files in your certificate chain to a secure location, accessible from the same computer used to access your appliance web interface.
    • The CA's certificate download interface may prompt for a server type. Select Apache or, if given more than one Apache type, select Apache/ModSSL.
  • The certificate chain will be sent in one of multiple certificate file formats. The following certificate formats are acceptable:
    • DER-encoded X.509 Certificate (.cerdercrt)
    • PEM-wrapped DER-encoded X.509 Certificate (.pemcrtb64)
    • DER-encoded PKCS #8 private key (.p8)
    • DER-encoded PKCS #12 certificates and/or private key (.p12pfx)
    • DER-encoded OpenSSL Legacy Private Key (.key)
    • PEM-wrapped DER-encoded OpenSSL Legacy Private Key (.pemkey)
      Many certificate authorities do not send the root certificate of your certificate chain. BeyondTrust requires this root certificate to function properly. If no links were provided to obtain the root certificate, contact your CA for assistance, or find the correct root certificate in your CA's online root certificate repository.
  1. Log in to your appliance's web interface .
  2. Open the Security > Certificates page.
  3. In the Security :: Other Certificates section, click Import.
  4. Browse to your certificate file and click Upload.
  5. Select the intermediate certificate files and root certificate file used by the CA.
    Your signed certificate display in the Security :: Other Certificates section.

    ❗️

    Important

    If the new certificate shows a warning, the intermediate and/or root certificates from the CA were not imported. Ensure the following, then repeat the upload process:

    • The BeyondTrust server certificate has an Issued To field and/or an Alternative Name(s) field matching the appliance's URL.
    • Intermediate certificates have different Issued To and Issued By fields, neither of which is a URL.
    • The root certificate has identical values for the Issued To and Issued By fields, neither of which is a URL.
      If any of these are missing, contact your certificate authority.
4. Update your appliance.

BeyondTrust software automatically trusts certificates issued by certificate authorities in your operating system's native CA trust store. If you obtain a self-signed certificate, or a certificate issued by an authority not trusted on all platforms, BeyondTrust Technical Support must build a copy of your certificate into your software. To update your appliance, send BeyondTrust Technical Support a copy of the new SSL certificate, as well as a screenshot of your Status > Basics page to identify the appliance being updated.

❗️

Important

Do NOT send your private key file (which ends in .p12, .pfx, or .key) to BeyondTrust Technical Support. This key is private because it allows the owner to authenticate your appliance's identity. Ensure that the private key and its passphrase are kept in a secure, well-documented location on your private network. If this key is ever exposed to the public (via email, for instance), the security of your appliance is compromised.

  1. Open your appliance's web interface and navigate to the Status > Basics page.
  2. Take a screenshot of the page.
  3. Add the saved screenshot and the all of the SSL certificates files for your certificate chain to a .zip archive. Do NOT include any private key files (.p12, .pfx, or .key files).
  4. Compose an email to BeyondTrust Technical Support requesting a software update.
  5. Attach the .zip archive containing the certificate files and screenshot.
    If you have an open incident with Support, include your incident number in the email.
  6. Send the email.
    Once BeyondTrust Technical Support builds your new software package, we will email instructions for how to install it.
  7. Update your software following the emailed instructions.
5. Select a default certificate for clients without SNI information (SSL certificate auto-selection).

BeyondTrust uses Server Name Indication (SNI), an extension to the TLS networking protocol, to allow any SSL certificate stored on your appliance to be served to any client. Because most TLS clients send SNI information at the start of the handshaking process, this enables the appliance to determine which SSL certificate to send back to a client that requests a connection. You can choose a default certificate to serve to clients who do not send SNI information with their request, or to clients who do send SNI information, but which does not match anything in your appliance database.

  1. Open your appliance's web interface and navigate to the Security > Certificates page.
  2. In the Default column, select the certificate you wish to make default.

Your appliance is now fully operational and ready for production.

📘

Note

Once complete, we recommend you wait 24-48 hours before proceeding further to allow time for your BeyondTrust client software (especially Jump Clients) to update themselves with the new certificate BeyondTrust Technical Support included in your recent software update.

Use a self-signed certificate

A self-signed certificate can be used on a temporary basis for testing or installing a BeyondTrust appliance. Self-signed certificates do not provide the security or features of a certificate from a public certificate authority (CA). A CA-signed certificate is recommended for long-term or production environments.

Self-signed certificates are created in you appliance's web interface. Once created, the BeyondTrust software must be updated by BeyondTrust Technical Support.

📘

Note

Customers with a cloud site environment cannot create a self-signed certificate.

1. Create the certificate in your appliance.

  1. Log in to your appliance's web interface.

  2. Open the Security > Certificates page.

  3. Create the certificate with the following information:

    • Certificate Friendly Name: A descriptive title used to identify your certificate request on your appliance's Security > Certificates page (for example, your primary DNS name or the current month and year).
    • Key: Select a key size from the dropdown. Verify which key strengths your certificate authority supports.
      • Larger key sizes may require more processing overhead and may not be supported by older systems.
      • Smaller key sizes may become obsolete or insecure sooner than larger ones.
    • Subject Name: The contact information for the organization and department creating the certificate, along with the name of the certificate.
    • Country: The two-character ISO 3166 country code for your organization. If you are unsure of your country code, please visit www.iso.org/iso-3166-country-codes.html.
    • City (Locality): The city of your organization.
    • Organization: Your organization or company name.
    • Organizational Unit: The group or department within the organization managing the certificate and/or the BeyondTrust deployment.
    • Name (Common Name): A human-readable title for your certificate.
      • This name must be unique to differentiate the certificate from others on the network, which could include the public internet.
      • We do not recommend you use your DNS name as the common name, but some certificate authorities may require you to use your fully qualified DNS name for backward compatibility. Contact your certificate authority for details.
    • Subject Alternative Names: A list of the fully qualified domain names for each DNS A-record that resolves to your appliance (for example, support.example.com). After entering each subject alternative name (SAN), click Add.
      • A SAN protects multiple hostnames with a single SSL certificate.
      • A DNS address could be a fully qualified domain name, such as support.example.com, or it could be a wildcard domain name, such as *.example.com.
      • A wildcard domain name covers multiple subdomains.
        • If you use multiple hostnames for your site that are not covered by a wildcard certificate, define those as additional SANs.

    📘

    Notes

    • If you entered the fully qualified domain name as your subject's common name, you must re-enter this as the first SAN entry. If you wish to use IP addresses instead of DNS names, contact BeyondTrust Technical Support.
    • If you plan to use multiple appliances in an Atlas setup, we recommend using a wildcard certificate that covers both your BeyondTrust site hostname and each traffic node hostname.
      • If you do not use a wildcard certificate, adding traffic nodes that use different certificates requires a rebuild of the BeyondTrust software.

  4. Click Create Self-Signed Certificate and wait for the page to refresh.
    The certificate displays in the Certificate Requests section.

2. Update your appliance.

BeyondTrust software automatically trusts certificates issued by certificate authorities in your operating system's native CA trust store. If you obtain a self-signed certificate, or a certificate issued by an authority not trusted on all platforms, BeyondTrust Technical Support must build a copy of your certificate into your software. To update your appliance, send BeyondTrust Technical Support a copy of the new SSL certificate, as well as a screenshot of your Status > Basics page to identify the appliance being updated.

❗️

Important

Do NOT send your private key file (which ends in .p12, .pfx, or .key) to BeyondTrust Technical Support. This key is private because it allows the owner to authenticate your appliance's identity. Ensure that the private key and its passphrase are kept in a secure, well-documented location on your private network. If this key is ever exposed to the public (via email, for instance), the security of your appliance is compromised.

  1. Open your appliance's web interface and navigate to the Status > Basics page.
  2. Check the box next to the new certificate in the Security :: Certificates table.
  3. From the Select Action dropdown menu above the table, select Export.
  4. Click Apply.
  5. Uncheck Include Private Key.
  6. Click Export, and save the file to a convenient location.
  7. Navigate to the Status > Basics page.
  8. Take a screenshot of the page.
  9. Add the saved screenshot and the exported certificate a .zip file.
    Do NOT include any private key files (.p12, .pfx, or .key files).
  10. Compose an email to BeyondTrust Technical Support requesting a software update.
  11. Attach the.zip file.
    If you have an open incident with Support, include your incident number in the email.
  12. Send the email.
    Once BeyondTrust Technical Support builds your new software package, we will email instructions for how to install it.
  13. Update your software following the emailed instructions.

📘

Note

Once the previous steps are complete, we recommend you wait 24-48 hours before proceeding further, to allow time for your BeyondTrust client software (especially Jump Clients) to update themselves with the new certificate BeyondTrust Technical Support included in your recent software update.

3. Select a default certificate for clients without SNI information (SSL certificate auto-selection).

BeyondTrust uses Server Name Indication (SNI), an extension to the TLS networking protocol, to allow any SSL certificate stored on your appliance to be served to any client. Because most TLS clients send SNI information at the start of the handshaking process, this enables the appliance to determine which SSL certificate to send back to a client that requests a connection. You can choose a default certificate to serve to clients who do not send SNI information with their request, or to clients who do send SNI information, but which does not match anything in your appliance database.

  1. Open your appliance's web interface and navigate to the Security > Certificates page.
  2. In the Default column, select the certificate you wish to make default.
Your appliance is now fully operational and ready for testing.

Updated about 2 months ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.