Service Overview

Renew and generate KE production certificates and tokens via a controlled flow: sign CSR, create P7B bundle, and generate user token with audited artifacts and references.

!Important: Ensure a valid JIRA task accompanies every renewal request before starting.

📋 View Instructions 💬 Contact Support

A. Sign the CSR and Issue Certificate

  1. Download the CSR from JIRA and place it in CyberArk Main Downloads.
  2. Open a fresh Git Bash terminal.
  3. Copy CSR to KE production bastion (cont17131): 
    scp ~/Downloads/<ATTACHED-CSR-FILE-NAME> cont17131:/tmp
    Upload issues
    ! If Permission denied, validate SSH keys/permissions; if Connection timed out, check network and host reachability; ensure keys are loaded with ssh-add -l.
  4. Connect and elevate: 
    ssh cont17131
su - apizone
sudo su -
    Credentials handling
    ! Password=NwQsR@404 Fetch secrets from CyberArk or the enterprise vault; do not embed plaintext passwords in documentation or scripts.
  5. Move into module directory and place CSR: 
    cd /home/apizone/CSR/<COUNTRY>/KE/<MODULE-DIRECTORY>
mv /tmp/<ATTACHED-CSR-FILE-NAME> .
  6. Sign CSR and capture details: 
    openssl ca -policy policy_anything -in <ATTACHED-CSR-FILE-NAME> \
 -cert /home/apizone/CSR/<COUNTRY>/rootCA.pem \
 -keyfile /home/apizone/CSR/<COUNTRY>/rootCA.key \
 -out <CERT-OUTPUT-FILE-NAME.crt> > cert_details&date.txt
    CA key passphrase
    ! Enter the passphrase securely when prompted; avoid shell history or logs capturing secrets.
  7. Create P7B bundle: 
    openssl crl2pkcs7 -nocrl -certfile <CERT-OUTPUT-FILE-NAME.crt> \
 -certfile /home/apizone/CSR/<COUNTRY>/kepsvvcmsblbr.dtbank.net.crt \
 -certfile /home/apizone/CSR/<COUNTRY>/rootCA.pem \
 -out <P7B-OUTPUT-FILE-NAME.p7b>
  8. Retrieve P7B to local: 
    scp cont17131:/tmp/<P7B-OUTPUT-FILE-NAME.p7b> ~/Downloads/

B. Generate Token for PROD KE

  1. Generate token and write to file: 
    cert-gen-ke-prod <USERNAME-REFER-TO-EXCEL> > username&date_of_generation.txt
  2. Attach certificate details text and P7B bundle to the JIRA task and prepare the notification email to the bank team.

Frequently Asked Questions

CSR appears corrupted

i Re-download the CSR from JIRA; if corruption persists, request a new CSR from the certificate authority team.

How long does renewal take?

i Certificate issuance typically completes in 15–30 minutes depending on load; token generation usually within 5 minutes.

Permission errors

! Ensure su - apizone and sudo su - succeeded; if RBAC limits apply, contact platform admins.

Verify certificate contents 
openssl x509 -in <CERT-OUTPUT-FILE-NAME.crt> -text -noout

Contact & Support

Share the JIRA task ID, CSR filename, and any error outputs when requesting assistance to speed up triage.

  • Escalation team: DevOps Infrastructure
  • Emergency response target: under 30 minutes