CyberArk Client Certificate

Hi Team,

We are currently integrating Automation Cloud with CyberArk. During the process, there is a step to Configure the authentication method. Could you please provide more details on how to configure the authentication method using certificate serial number?

1 Like

@sachishekar

Welcome to our UiPath community.

Have a look below thread and follow the steps.

Hi Lakshman,

Thanks for your response.

We are following the link shared. However, could you please explain how to configure the authentication method using certificate serial number? This is Step 6 as shown in the screenshot.

Old post, @sachishekar Did you find what you are looking for?

CyberArk CCP (Central Credential Provider Web Service) Integration as described in the following document that you took your screenshot from is configuring authentication using a Client Certificate used to validate the authenticity of the connecting User/Service, the Serial Number comes from the Client Certificate being used.

https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20and%20ASCP/Application-Authentication-Methods-general.htm#!#ClientCert

Alternatively you can install the CyberArk AAM (Application Access Manager) on your Orchestrator node and integrate with CyberArk that way as documented in

@codemonkee

Hi Tim,

We are trying to integrate CyberArk with Enterprise Cloud Orchestrator.

I am being asked for Client Certification Serial Number by CyberArk team. Where can I get it from?

Thank you!

Did you find answer to your question?

I am looking for the same information for UiPath Orchestrator and CyberArk integration.

Serial Number is a property of the Certificate that was issued by the CA and should be unique (at least in the realm of that CA).

For example, using the chrome to look at the Certificate for forum.uipath.com

PowerShell you can select the properties of the certificate like so

Get-ChildItem -Path Cert:LocalMAchine\My |
Where-Object {$_.FriendlyName -Match "uipath" -or $_.Subject -CLike "*uipath*"} |
Select-Object FriendlyName, Thumbprint, Subject, NotBefore, NotAfter, SerialNumber 
FriendlyName : UiPath Orchestrator
Thumbprint   : 345234523452345345
Subject      : CN=uipathxxx.xxxx.ca, OU=XXXX, O=XXXXX, L=XXXXX, S=XXXXX, C=CA
NotBefore    : 8/7/2022 5:58:41 PM
NotAfter     : 8/6/2024 5:58:41 PM
SerialNumber : ASDFA234234SDFSDF

Similar example but from a PEM File (Certificate served by forum.uipath.com)

$certFile = Get-Item ".\forum.uipath.com"
$certType = [System.Security.Cryptography.X509Certificates.X509Certificate2]
$certType::CreateFromCertFile($certFile) -as $certType | 
Select-Object FriendlyName, Thumbprint, Subject, NotBefore, NotAfter, SerialNumber
FriendlyName :
Thumbprint   : 303B1CFA4A0248E3EABE26B3A028DE04F110A3C0
Subject      : CN=forum.uipath.com
NotBefore    : 11/5/2022 5:00:35 PM
NotAfter     : 2/3/2023 4:00:34 PM
SerialNumber : 04E143054E56F2DF455B66A7DEB68476AAC7

BIND and many other ways of extracting the properties of the certificate.

@codemonkee

Thank you Tim!

Who can help me to get this client certificate to authenticate UiPath Orchestrator against CyberArk. I need to enter the client certificate details in CyberArk and Orchestrator for configuration.

I imagine in Cloud UiPath you only have access to configure CyberArk CCP and not CyberArk AAM as AAM requires the installation of a CyberArk Client.

The links I provided back in January should help you out as well as the docs on Managing Credential Stores

But in any case, when you configure Credential Store for your Orchestrator Tenant and using CyberArkCCP as the Type, a few of the fields you provide are the following.

  • Client Certificate (You generate a self-signed certificate (Using apps/commands of your choice, if your organization has an internal issuing CA, or Request from a CA: digitcert, verisign, etc. Which will often have a cost associated with it , alternatively you might be able to use a service like LetsEncrypt, but might not be suitable due to only being valid for 90 days which would be a bit of overhead to manage on your part, if you could automate the certificate rotation between Orchestrator and CyberArk)
  • Client Certificate Password (if there is one)
  • Server Root Certificate (If the CyberArk Server uses a self-signed certificate or a certificate that would otherwise not be signed by a Trusted Root CA that Orchestrator doesn’t already trust)

Your CA should have instructions on how to do that for them, can be as simple as filling out a form. If you actually need to generate a CSR to submit to your CA, you can use openssl to generate a key and csr. I quick search on Google will have a lot of information.

I’m sure there are other ways out there, but if not already using a Certificate Identity/Management Service, I generally fallback to openssl.

openssl req -newkey rsa:4096 -nodes \
  -keyout private.key \
  -out certreq.csr \
  -config configfile.cnf

^ Sorry I don’t know off hand all the properties you want to pass along when not using a template.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.