Skip to main content

Downloading CyberArk ZTPKI Certificates from the CyberArk Console

  1. Log into your CyberArk console
  2. Navigate to Certificates
  3. Download the root CA certificate
    1. For the purposes of this document, we will refer to this as venafi-root.cer
  4. Download the issuing CA certificate
    1. We will refer to this as venafi-issuer.cer
The body of issuing CA certificate can be copied from Certificate Authority Details section or via Download button. Body of root CA certificate can be copied from Issuer Details section
  1. Copy the downloaded .cer files to your domain controller.

Adding Certs to NT AuthStore

  1. Open a command prompt as an Administrator and navigate to the Downloads folder or location where you have copied the downloaded certificates.
  2. Execute certutil -addstore “Root” venafi-root.cer
This adds the CyberArk Root certificate to the domain’s list of trusted root certificates. Note: For steps below you may need to install active directory certificates tools to view Enterprise PKI snap-in.
  1. Open Run on the server by pressing Windows Key + R.
  2. In Run type in mmc and hit Enter.
  3. Go to File and then select Add/Remove Snap In.
  4. Add Enterprise PKI snap-in then click OK.
  5. Right-click on Enterprise PKI and Select Manage AD Containers
  1. From the NTAuthCertificates tab, Click Add
  2. Locate the venafi-issuer.cer file and Click Open. (If file not present, Set File types to All Files)
  3. See that the issuing CyberArk certificate is now listed with Status OK. Click OK

Adding CyberArk Certificates to Each Domain Controller

CyberArk certificates must be added to each domain controller. Customers can use group policy or manually install the certificates on each domain controller.

Updating Domain Controller GPO

  1. Go to Group Policy Management.
  2. Edit the “Default Domain Controller Policy
  3. Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policy
  4. Right Click on Trusted Root Certification Authorities and Click Import
  1. Import the CyberArk root certificate
  1. Right Click on Intermediate Certification Authorities and Click Import
  2. Import the Issuing CyberArk certificate

Validating

  1. Go to Domain controller
  2. Open the command prompt as administrator and run gpupdate /force.
  3. Open local domain controller certificate store
  4. Open Run on the server by pressing Windows Key + R.
  5. In Run type in certlm.msc and hit Enter.
  6. Go to the Trusted Root Certification Authorities and then Certificates, you will see the root certificate.
  7. Go to the Intermediate Root Certification Authorities and then certificates, you will see the issuing certificates certificate.

Adding CyberArk Certificates to Computers

CyberArk certificates must be added to each computer for authentication to work.

Creating GPO

  1. Go to Group Policy Management.
  2. Create a New group policy at your Computers OU to apply to your workstations.
  3. Edit the new group policy for the workstations (new screenshot below).
  1. Go to Computer Configuration > Windows Setting > Security Settings > Public Key Policy
  1. Right Click on Trusted Root Certification Authorities and Click Import
  1. Import the CyberArk root certificate
  1. Right Click on Intermediate Certification Authorities and Click Import
  2. Import the Issuing CyberArk certificate

Validating

  1. Go to the domain controller and also any workstation GPO is applied to.
  2. Open the command prompt as administrator and run GPUPDATE /force.
  3. Open local computer certificate store
  4. Open Run on the server by pressing Windows Key + R.
  5. In Run type in certlm.msc and hit Enter.
  6. Go to the Trusted Root Certification Authorities and then Certificates, you will see the root certificate.
  7. Go to the Intermediate Certification Authorities and then certificates, you will see the issuing certificates certificate.
CyberArk Zero Touch PKI TruU Tenant Setup