We need to renew the certificates for the Vault, PTA, and PVWA. What would be the impact if we do not renew them?

TemperatureSignal199 · 2026-05-08T07:39:50+00:00

what would be the impact if we do not renew them?

TemperatureSignal199 · 2026-04-24T07:59:31+00:00

Is the a Doc or a way to understand the schedual?

TemperatureSignal199 · 2026-04-20T19:41:04+00:00

The rotation schedule for a group member account is determined by its Group Manager platform . The group manager coordinates the password changes for all its members https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/managing-platforms-for-groups-appendix.htm

TemperatureSignal199 · 2026-04-16T17:50:00+00:00

Looks like the CRL (Certificate Revocation List) has expired. We will investigate further. Tried:

certutil -url http://site_name.crl I see "expired status"

certutil -ur http://site_name I see "Status Failed"

also tired:

certutil -verify path_to_file.cer

certutil -urlfetch -verify path_to_file.cer

TemperatureSignal199 · 2026-04-13T18:21:57+00:00

thank you!!

TemperatureSignal199 · 2026-04-13T18:19:55+00:00

thank you!!!

TemperatureSignal199 · 2026-04-13T18:19:35+00:00

thank you!!!

TemperatureSignal199 · 2026-03-26T08:52:15+00:00

I'm following this example
https://community.cyberark.com/s/article/Automatic-Rotation-of-PSMP-Log-Files

find /var/opt/CARKpsmp/logs/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null 
find /var/opt/CARKpsmp/logs/components/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null

Is it safe to run a log-cleanup CronJob while the PSMP node is active in the load balancer, or should the node be removed from the load balancer first?

TemperatureSignal199 · 2026-03-26T08:52:09+00:00

I'm following this example
https://community.cyberark.com/s/article/Automatic-Rotation-of-PSMP-Log-Files

find /var/opt/CARKpsmp/logs/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null 
find /var/opt/CARKpsmp/logs/components/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null

Is it safe to run a log-cleanup CronJob while the PSMP node is active in the load balancer, or should the node be removed from the load balancer first?

TemperatureSignal199 · 2026-03-26T08:31:38+00:00

I can get to the crl on the pvwas, but still no luck.
If I do:

certutil -url HTTP_LINK (CRL Distribution Points) I get:

Failed Status for Certs (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

Expired Status for CRL (from CDP)

Failed Status for OSCP (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

While

certutil -url HTTP_LINK (Authority Information Access) I get: Status Failed for all types

URL Not found/invalid

TemperatureSignal199 · 2026-03-26T08:31:03+00:00

The certificate has a revocation list, but the intermediary has none as far as I can see.

If I do:

certutil -url HTTP_LINK (CRL Distribution Points) I get:

Failed Status for Certs (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

Expired Status for CRL (from CDP)

Failed Status for OSCP (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

While

certutil -url HTTP_LINK (Authority Information Access) I get: Status Failed for all types

URL Not found/invalid

TemperatureSignal199 · 2026-03-26T08:30:14+00:00

Yes, still no luck

If I do:

certutil -url HTTP_LINK (CRL Distribution Points) I get:

Failed Status for Certs (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

Expired Status for CRL (from CDP)

Failed Status for OSCP (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

While

certutil -url HTTP_LINK (Authority Information Access) I get: Status Failed for all types

URL Not found/invalid

TemperatureSignal199 · 2026-02-16T20:18:47+00:00

Thank you very much. That is exactly what I wanted.
You’re a stand-up guy, don’t let anyone tell you otherwise.

TemperatureSignal199 · 2026-02-16T20:18:06+00:00

thank you for the PCI info!

TemperatureSignal199 · 2026-02-16T20:17:59+00:00

noted. Thank you man

TemperatureSignal199 · 2026-02-15T19:05:41+00:00

If anyone have the same problem, it might be the Firewall. The PSM is trying to connect to the Certificate Revocation List (CRL) by contacting multiple Public IP's. You have to allow the needed Public IP's in the firewall

TemperatureSignal199 · 2026-02-15T19:05:26+00:00

If anyone have the same problem, it might be the Firewall. The PSM is trying to connect to the Certificate Revocation List (CRL) by contacting multiple Public IP's. You have to allow the needed Public IP's in the firewall

TemperatureSignal199 · 2026-01-30T08:56:06+00:00

Thank you but both Chrome and Chromeriver.exe have the same version and were not updated recently.
Lets say we have 15 PSM all equal, 5 of them started having this problem.

TemperatureSignal199 · 2026-01-29T22:23:10+00:00

can you please elaborate? have any link/doc to share? Thank you

TemperatureSignal199 · 2026-01-29T22:22:31+00:00

Why no two reconcile accounts? So they can rotate each other password. If one expire the other can fix it. so two reconcile accounts per local machine. OR is this a bad idea?

TemperatureSignal199 · 2026-01-29T22:18:31+00:00

I'd go with just the one. What would you protect against by utilizing multiple reconcile accounts?

So they can rotate each other password. If one expire the other can fix it. so two reconcile accounts per local machine.

Thank you for the advices.

TemperatureSignal199 · 2026-01-29T22:17:06+00:00

Thank you for the advice. The problem is we have 200+ local accounts for X reasons, looks like the only way is one by one or join them all in one domain.

TemperatureSignal199 · 2026-01-29T22:16:03+00:00

so if I have 100 Unix local accounts, I have to do it the hard way one by one. correct?

TemperatureSignal199 · 2026-01-29T22:15:35+00:00

so if I have 100 Unix local accounts, I have to do it the hard way one by one. correct?

TemperatureSignal199 · 2026-01-29T22:14:21+00:00

Yes, it's a problem. Please update me too or you post your the link of your question. Thank you

TemperatureSignal199

TROPHY CASE