Following error shows up when the CyberArk vault is setup with a self signed certificate.
ITATP151W Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1. We recommend that you use at least Signature Hash Algorithm SHA2-256 with this Vault's configuration.
When the CyberArk Vault Server application is installed, it creates a self signed certificate that using a weak Signature Hash Algorithm (SHA1).
The error is ok to ignore in lab environments but must be addressed in production environments.
Table of Contents
How to change Vault Server certificate?
The self signed certificate will need to be changed and replaced with a CA signed certificate. In order to use a CA signed certificate, a certificate request must be created that is signed by the CA and the signed certificate is then imported.
Step by Step Process to Update the Certificate:
- Launch command prompt as administrator and navigate the CyberArk Vault server installation directory (Generally under “C:\Program Files (x86)\PrivateArk\Server”
- Run “CACert.exe request” and generate a SHA2 certificate request. The prompts are self explanatory and same as any other certificate request.
- The certificate is created and saved in the same directory
- Submit the certificate request to the CA
- Copy the signed certificated to the vault server (I placed it under “C:\Program Files (x86)\PrivateArk\Server”)
- Run the command “CACert.exe install” to install the certificate
- Stop the Vault Server application and start it again
- If all went well, the Vault Server application will start without showing the certificate error
Leave A Comment