Everyone's favorite part 👍. The good news is that the certificates are rather simple for the gateway but it is where I see the most struggle. ## What Certificates do I you need? [CyberArk HTML5 Gateway Certificates](https://docs.cyberark.com/pam-self-hosted/latest/en/content/pas%20inst/install_psm_html5_docker.htm#LaunchtheHTML5Gatewaycontainer) - HTML5 Gateway Certificate & Key - PSM Certificate - Root Authority Certificate(s) - The one(s) that signed the PVWA & PSM Will cover how to create The GW and PSM Certificates along with gathering the Certificate Authority Cert that Signed the PVWA > [!Tip]- Certificate Formats > > For the HTML5 Gateway I find it best to use the .cer or pem format. The only .cer file I have for the GW is the GateWay Certificate itself. ## Create the Certificate Directory used by the Container Before we start, create the default location for the certificates. The container will look to the default location to pull all certificates needed. The default directory is '/opt/cert' on the host machine where your container will run 1. Login to your soon to be gateway machine 2. run `mkdir /opt/cert` > [!Info] Certificate Directory > This will be where we place all of our certificates that are needed for the container. Feel free to place the certificates here as you work thru the guide. Before we run the install will cover everything needed to be in /opt/cert directory ## Gateway CSR & Certificate Creation I prefer to use a conf file when creating certificates so I can recreate and adjust values easier later on if needed. If you're not familiar using conf with openssl. In short it just a file that stores all the info you would normally provide when creating CSR. ### Create Conf File While logged into your gateway machine run the following commands to create the creq.conf * `touch` `creq.conf` * `vim` `creq.conf` Adjust the values accordingly ```cpp [req] prompt = no days = 4096 distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = US stateOrProvinceName = NY localityName = NY organizationName = CLAB organizationalUnitName = Security commonName = g5way emailAddress = NA [ v3_req ] basicConstraints = CA:false extendedKeyUsage = serverAuth subjectAltName = @sans [ sans ] DNS.0 = g5way DNS.1 = g5way.clab.com DNS.2 = g5way.clab ``` Next will use the "creq.conf" to generate our CSR ### Generate the CSR & Key Run the following command to generate your CSR and Key `openssl req -newkey rsa:4096 -keyout gw.key -nodes -out gw.csr -config creq.conf` ### Verify CSR Contents `openssl req -text -noout -verify -in gw.csr` ![[Pasted image 20250509121239.png]] Next will need to submit the CSR and get our certificate back. The key will be used later on during the install. ### Submitting the Gateway CSR > [!NOTE] Very similar to another guide here > [[01 - Projects/CCP-Client Cert Auth/02 - Certificates#02.2 Submitting CSR|02 - Certificates| From CCP LAB Guide]] It will be different for all environments so I will show you the most common method In this lab I am using Microsoft's Certificate Authority - Web Enrollment. I just need to open up a browser and login to the CA Web Enrollment Page. I moved the CSR to a Machine that can access my Certificate Authority Web Enrollment Page 1. Navigate http://clab.com/certsrv & Login ![[Pasted image 20250418174623.png]] 2. Click > Request a Certificate > Advanced User Request ![[Pasted image 20250418174520.png]] 3. Open the CSR you generated and Select All & Copy ![[Pasted image 20250509122643.png]] 4. Go back to the **Advanced User Page** - Paste the entire contents in the Base64 Box - Select the the template - WebServer (In my lab) - Click Submit ![[Screenshot 2025-05-09 at 1.26.21 PM.png]] 5. Select Base64 & Download Certificate > [!info] > You can download the Chain if needed > ![[Pasted image 20250418180138.png]] 6. Move the certificate to the gateway machine. ### Confirm the Cert & Key Match (Optional) Once the certificate is back on the GW machine you can confirm the Key that was created during the CSR generation and the Certificate Match. `openssl x509 -noout -modulus -in gw.cer | openssl md5` `openssl rsa -noout -modulus -in gw.key | openssl md5` ![[Pasted image 20250509141026.png]] # Create the PSM Certificate Some environments might have a certificate that can be used for the PSM and GW but I find it easier to create a new one in most cases. Since this process is very similar to the above along with several other "Create Certificates Processes" I have covered in another guide, I will link them below in an effort to save documenting repeating steps The only differences should be: DNS (SANs Alternative Names). These should reflect your PSM Servers FQDN for example, "psm.clab.com" "Enhanced Key Usage" should only need "Server Authentication" > [!Leading Practice] Links to Certificate Generation > > [[01 - Projects/CCP-Client Cert Auth/02 - Certificates#02.1 Creating CSR and Certificate - MMC|Generating Certificates]] > [[01 - Projects/CCP-Client Cert Auth/02 - Certificates#02.2 Submitting CSR|Submitting CSR]] > [[01 - Projects/CCP-Client Cert Auth/02 - Certificates#02.3 Install & Export the Certificate|Install & Export]] > Once the certificate is created, installed and exported. We can then create a PEM file which will move to the GW machines "/opt/cert/" directory. But first will add it to collection for the RD connection broker I generated the CSR from my PSM machine, and depending on the environment you can typically install the certificate in the Local Computer > Personnel Store ## Add PSM Certificate to RD Connection Broker > [!tip] If you have multiple PSM Servers > It's common practice to create one Certificate that includes all the PSM servers FQDNs 1. Login into your PSM Machine 2. Go to Server Manager > Remote Desktop Services > Collections > Click on Task > Edit Deployment Properties ![[Screenshot 2025-05-12 at 1.49.50 PM.png]] 3. Navigate to Certificates ![[Screenshot 2025-05-12 at 1.50.03 PM.png]] 4. Select RD Connection Broker - Enable Singing 1. Select Exiting Certificate 1. Chose the PSM PFX you Created 2. Provide the Password you gave the PFX 3. Check the Allow Certificate to be add to the Machine Trusted Root Authority if Applicable & Click Ok 4. Click Apply ![[Screenshot 2025-05-12 at 1.58.08 PM.png]] 5. Repeat the same steps for RD Connection Broker - Publishing 1. Select Exiting Certificate 1. Chose the PSM PFX you Created 2. Provide the Password you gave the PFX 3. Check the Allow Certificate to be add to the Machine Trusted Root Authority if Applicable & Click Ok 4. Click Apply ## Covert PSM PFX to a PEM File I use the word "covert" loosely here, because really we are creating a blank txt file and copying the contents of all the certificates that make up our PFX into one file. Then we change the extension to ".PEM" > [!info] > If you downloaded the chain when submitting the CSR this can work. But I prefer this manual "covert" method. Plus I believe it helps with understanding the larger picture Now that we have our PSM Certificate in PFX format we can use it to help create the PEM file for the Gateway to use so it trusts the connection to the PSM 1. Create a blank ".txt" file (psmchain.txt) 2. Right Click on your PSM PFX File and Select Open 1. This shows us certificates will be needed in your PEM file ![[Screenshot 2025-05-12 at 2.02.53 PM.png]] 2. Locate the certificates listed 1. Starting with the signing rootCA (clab-DC01-CA) 2. Copy it's contents & paste it into the newly created "txt" file 3. Repeat this process for all certificates listed 1. In my lab I only needed the 2 Certificates ![[Screenshot 2025-05-12 at 2.11.54 PM 1.png]] 3. Once all certificates have been copy and pasted into your txt file 1. Save the file 4. Move the text file to your GW Machine 5. Rename the file to have a ".pem" ext and move it to the /opt/cert/ directory ``` cp psmchain.txt /opt/cert/psmchain.pem ``` # Signing Root Authority Certificate for the PVWA In a lot of cases the certificates will be signed by the same Certificate Authority. I find it easiest to go to grab this certificate from the PVWA machine and move it to the GW machines /opt/cert directory > [!info] My Experience > Even though the PSM Chain includes the same Root CA certificate used to sign all the certificates in my environment. I have ran into issues with trust unless I added the rootCA or chain separately 1. Log into the PVWA machine 2. Launch inetmgr.msc 3. Navigate to your Default Site > Bindings 4. Click Bindings ![[Screenshot 2025-05-12 at 2.25.29 PM.png]] 5. Highlight your PVWA Certificate (443) & Double Click 6. Click View ![[Screenshot 2025-05-12 at 2.25.49 PM.png]] 7. Go to the Certification Path Tab 8. Select the top level certificate and click view certificate ![[Screenshot 2025-05-12 at 2.26.30 PM.png]] Now we are looking at the certificate authority's root certificate. ![[Screenshot 2025-05-12 at 2.35.48 PM.png]] 9. Navigate to Details Tab and Click Copy to File ![[Pasted image 20250512235319.png]] 10. Click Next 11. Select Base 64 Encoded format > Click Next 12. Provide a Name and Location > Click Next ![[Screenshot 2025-05-12 at 2.40.50 PM.png]] 12. Click Finish ![[Pasted image 20250512144251.png]] 13. Move the file to the GW machine 14. Rename the file to have a ".pem" and move the file to the /opt/cert directory ``` cp pvwacaroot.cer /opt/cert/capvwa.pem ```