# SSL Certificate Deployment

In general, SSL certificates procured from Certificate Authorities (CAs) are stored in a repository and then manually deployed on appropriate target systems. Key Manager Plus deploys the certificates from the repository on the correct target systems automatically. You can use Key Manager Plus to deploy the certificates on the various systems individually, or in bulk, based on your requirements. Also, you can use the Key Manager Plus agent to deploy certificates on servers that reside in demilitarized zones outside of the domain where the Key Manager Plus server is present.

## Steps to Deploy Certificates on Different Target Systems

Follow the below steps to deploy an SSL certificate on various target systems:

1. Navigate to **SSL >> Certificates**.
2. Select the checkbox beside the certificate to be deployed.
3. Click **Deploy**.
4. In the dropdown, choose the required server type:
   1. [Windows Server](#1-windows-server)
   2. [MS Certificate Store](#2-microsoft-certificate-store)
   3. [Internet Information Services (IIS)](#3-internet-information-services-iis)
   4. [IIS Binding](#4-iis-binding)
   5. [Linux Server](#5-linux-server)
   6. [Browser](#6-browser)
   7. [ManageEngine MDM](#7-manageengine-mdm)
   8. [AWS-ACM](#8-aws-acm)
   9. [Load Balancer](#9-load-balancer)
   10. [Azure Key Vault](#10-azure-key-vault)
   11. [Azure Application](#11-azure-application)

![Certificate deployment](https://www.manageengine.com/key-manager/help/images/cert-deployment.png)

**Notes:**

- For deploying certificates on Windows systems, MS Certificate Store and Internet Information Services (IIS), use your domain administrator account as the service login account of Key Manager Plus.
- If you are using a domain service account to run Key Manager Plus, ensure you already have it configured in your local admin group.

## 1. Windows Server

1. To deploy certificates on a Windows server, choose the server type as **Windows**.
2. Select the **Deployment Type** as **Single**, **Multiple** (servers) or **Agent** as per your need.
   1. **Single server deployment**: Provide **Server Name, User Name, Password, Path**. Optionally enable:
      - **Certificate** to choose the **File Type** and mention the **Certificate File Name**
      - **JKS/PKCS** to choose the **Keystore Type** and mention the **Store File Name**
   2. If you select **Use Key Manager Plus service account credentials for authentication**, you need not provide the username and password separately.

![windows-deployment-a](https://www.manageengine.com/key-manager/help/images/windows-deployment-a.png)
![windows-deployment](https://www.manageengine.com/key-manager/help/images/windows-deployment.png)

3. **Multi server deployment**: Upload a `.csv` file with:
   - `Server Name, User Name, Password, Path, Certificate File Name (optional), Keystore File Name (optional)`

   **OR**

   - `Server name, SERVICE_AUTH, Path, Certificate File Name (optional), Keystore File Name (optional)`

4. **Agent deployment**:
   - Choose the host name of the KMP agent from **Select Agent**
   - Enter the destination file path (agent installation path is default if not mentioned)
   - Optionally enable **Certificate** and/or **JKS/PKCS**

![windows-deployment-b](https://www.manageengine.com/key-manager/help/images/windows-deployment-b.png)

5. Configure post-deployment actions:

![post-deployment-1](https://cdn.manageengine.com/sites/meweb/images/key-manager/help/post-deployment-1.png)

   - **Execute Script**: Execute a batch script file after deployment.
   - **Restart Service**: Restart a specific service after deployment.

**Note:** Post-deployment actions apply to build 7120 and above and are applicable only for single server deployments.

If **Execute Script** is enabled:

- Enter the full path of the `.bat` file in **Executable Path**.
- The script must echo `EXEC_COMPLETE` as its final output.

### Sample Batch Script File

```bat
@echo off
REM Post-deployment sample bat: regex-replace the value of every cert="..."
REM attribute in an XML, regardless of what the previous value was.
setlocal
set "XML_FILE=E:\testFolder\sample.xml"
set "NEW_VALUE=certname3.crt"
if not exist "%XML_FILE%" (
echo ERROR: %XML_FILE% not found.
exit /b 1
)
powershell -NoProfile -Command "(Get-Content -LiteralPath '%XML_FILE%' -Raw) -replace 'cert=\x22[^\x22]*\x22', ('cert=' + [char]34 + '%NEW_VALUE%' + [char]34) | Set-Content -LiteralPath '%XML_FILE%' -NoNewline"
if errorlevel 1 (
echo ERROR: PowerShell replacement failed.
exit /b 1
)
echo EXEC_COMPLETE
endlocal
```

If **Restart Service** is enabled:

1. Enter **Service Name** or click **Discover Services**.
2. Configure **Service Stop Timeout** and **Service Start Timeout** (in seconds).

6. Enter **Notification Email** (comma-separated for multiple recipients).
7. Click **Save**, then **Deploy**.

**Note:** For file-based deployment, if Certificate and Keystore file names are not provided, or if multiple certificates are selected, the Common Name will be used as the file name.

## 2. Microsoft Certificate Store

1. Choose **Microsoft Certificate Store**.
2. Select **Deployment Type**: **Single**, **Multiple**, or **Agent**.
   1. **Single**: Provide **Server Name, User Name, Password, Path**.

![MSstore_deployment_1](https://www.manageengine.com/key-manager/help/images/MSstore_deployment_1.png)

   2. You may use **Use Key Manager Plus service account credentials for authentication**.

![MSstore_deployment_1a](https://www.manageengine.com/key-manager/help/images/MSstore_deployment_1a.png)

   3. **Multiple**: Upload `.csv` with:
      - `Server Name, User Name, Password, Path`
      - `Server Name, Agent`
      - `Server Name, SERVICE_AUTH, Path`

![MSstore_deployment_1b](https://www.manageengine.com/key-manager/help/images/MSstore_deployment_1b.png)

   4. **Agent**: Select agent host name.

![MSstore_deployment_1c](https://www.manageengine.com/key-manager/help/images/MSstore_deployment_1c.png)

3. Select **Computer** and/or **User** account.
4. Enable **PrivateKey Export from MS Store after deployment** if required.
5. Select the **Store Name**.
6. Click **Save**, then **Deploy**.

![MSstore_deployment_2](https://www.manageengine.com/key-manager/help/images/MSstore_deployment_2.png)

## 3. Internet Information Services (IIS)

1. Select a certificate with a keystore file and click **Deploy >> Internet Information Services (IIS)**.
2. Select **Deployment Type**: **Single**, **Multiple**, or **Agent**.
   1. **Single**: Provide **Server Name, User Name, Password, Path**.

![iis-deployment](https://www.manageengine.com/key-manager/help/images/iis-deployment.png)

   2. Optionally use service account credentials.

![iis-deployment-1a](https://www.manageengine.com/key-manager/help/images/iis-deployment-1a.png)

   3. **Multiple**: Upload `.csv`:
      - `Server Name, User Name, Password, Path`
      - `Server Name, SERVICE_AUTH, Path`

3. Click **Deploy**.

## 4. IIS Binding

**Notes:**

- IIS Manager should be installed/enabled in the Key Manager Plus server.
- Single deployment works only if IIS server and Key Manager Plus are in the same domain with **ASP.Net of .Net Framework version 4 or above** enabled.

![asp-net](https://www.manageengine.com/key-manager/help/images/asp-net.png)

1. Choose **IIS Binding**.
2. For **Single**: Enter **Server Name, User Name, Password**.

![iis-binding-1](https://www.manageengine.com/key-manager/help/images/iis-binding-1.png)

3. Optionally use service account credentials.

![iis-binding-1a](https://www.manageengine.com/key-manager/help/images/iis-binding-1a.png)

4. For **Multiple**, upload file in required format (including credentials, service auth, or agent).

![iis-binding-1b](https://www.manageengine.com/key-manager/help/images/iis-binding-1b.png)

5. For **Agent**, select agent and retrieve sites/bindings.
6. Add new bindings specifying **Host Name, Port, IP Address** and optionally **Require Server Name Indication**.

![sni](https://www.manageengine.com/key-manager/help/images/sni.png)

7. Use **Add Binding/Update Binding**, **Deploy and Bind**, or **Save** as required.

![IIS_deployment_2](https://www.manageengine.com/key-manager/help/images/IIS_deployment_2.png)
![iis-binding-2](https://www.manageengine.com/key-manager/help/images/iis-binding-2.png)
![iis-binding-3](https://www.manageengine.com/key-manager/help/images/iis-binding-3.png)

## 5. Linux Server

1. Choose **Linux**.
2. Select **Deployment Type**: **Single** or **Multiple**.
   1. **Single**: Provide **Server Name, Port (default 22), User Name, Password, Path**. Optionally enable **Certificate** and/or **JKS/PKCS**.

![linux-deployment](https://www.manageengine.com/key-manager/help/images/linux-deployment.png)

   2. **Multiple**: Upload `.csv` with server details.

3. For password-less servers, choose **Import Key** and upload private key with passphrase.
4. Configure post-deployment actions:

![post-deployment-2](https://cdn.manageengine.com/sites/meweb/images/key-manager/help/post-deployment-2.png)

- **Execute Script** (shell script must echo `EXEC_COMPLETE`)
- **Restart Service** (service must be managed by `systemd`)

### Sample Shell Script File

```bash
#!/bin/bash
XML_FILE="/home/username/Desktop/sample.xml"
NEW_VALUE="certname10300.crt"
if [ ! -f "$XML_FILE" ]; then
echo "ERROR: $XML_FILE not found."
exit 1
fi
sed -i 's/cert="[^"]*"/cert="'"$NEW_VALUE"'"/g' "$XML_FILE"
if [ $? -ne 0 ]; then
echo "ERROR: Replacement failed."
exit 1
fi
echo "EXEC_COMPLETE"
```

5. Configure **Service Name**, **Service Action Timeout**, and **Sudo Password** (if Import Key).
6. Enter **Notification Email**, click **Save**, then **Deploy**.

**Notes:**

1. Key-based authentication is available only for single server deployment.
2. Uploaded private keys are for one-time use and not stored in the database.

## 6. Browser

1. Choose **Browser**.
2. Select **Server Type**: **Windows**, **Linux**, or **Mac OS**.

### Windows

- Provide **Server Name, User Name, Password, Path**.

![browser-deployment-1](https://www.manageengine.com/key-manager/help/images/browser-deployment-1.png)

- Optionally use service account credentials.

![browser-deployment-2](https://www.manageengine.com/key-manager/help/images/browser-deployment-2.png)

### Linux

- Provide **Server Name, Port, User Name, Password, Path**.
- Select **Firefox** and/or **Chrome**.
- For Firefox, specify **Profile** and **NSS Tools Path**.

![browser-deployment-3](https://www.manageengine.com/key-manager/help/images/browser-deployment-3.png)

Install NSS tools:

```bash
sudo apt-get install libnss3-tools
```

- Chrome NSS DB path: `$HOME/.pki/nssdb`
- Firefox NSS DB: Profiles folder

![browser-deployment-4](https://www.manageengine.com/key-manager/help/images/browser-deployment-4.png)

### Mac OS

- Provide **Server Name, Port, User Name, Password, Path**.
- Select **Firefox** or **Safari/Chrome**.

![browser-deployment-5](https://www.manageengine.com/key-manager/help/images/browser-deployment-5.png)
![browser-deployment-6](https://www.manageengine.com/key-manager/help/images/browser-deployment-6.png)

For NSS tools:

```bash
brew install nss
```

Click **Deploy**.

## 7. ManageEngine MDM

To learn about deploying certificates to ManageEngine MDM, click [here](https://www.manageengine.com/key-manager/help/mdm-integration.html#import).

## 8. AWS-ACM

To learn about deploying certificates to AWS-ACM, click [here](https://www.manageengine.com/key-manager/help/awsacm-integration.html#deployawscerts).

## 9. Load Balancer

### 9.1 Citrix ADC

1. Select certificate → **Deploy >> Load Balancer**.
2. Choose **Citrix ADC**.
3. Select **Citrix Credential List**.

![load-balancer-1](https://www.manageengine.com/key-manager/help/images/load-balancer-1.png)

4. Manage credentials (Add/Delete).

![load-balancer-2](https://www.manageengine.com/key-manager/help/images/load-balancer-2.png)

5. Enter **Citrix Password** and **Passphrase**.
6. Optionally enable **Bypass Proxy Settings** (Admin Settings: https://www.manageengine.com/key-manager/help/network-settings.html).
7. Select **Service Deploy** and/or **Virtual Server Deploy**.

![load-balancer-3](https://www.manageengine.com/key-manager/help/images/load-balancer-3.png)

8. Click **Deploy**.

### 9.2 FortiGate Firewall

1. Select certificate → **Deploy >> Load Balancer**.
2. Choose **FortiGate Firewall**.
3. Select **FortiGate Credential**.

![fortigate-1](https://www.manageengine.com/key-manager/help/images/fortigate-1.png)

4. Manage credentials:
   - Add: **Credential Name, Server IP, API Key**
   - Delete credential as needed.
5. Select **Upload Type**: **Regular** or **Remote**.
6. Optionally enable **Bypass Proxy Settings** (https://manageengine.com/key-manager/help/network-settings.html).
7. Click **Deploy**.

## 10. Azure Key Vault

*(Feature available from build 7050 and above only)*

1. Navigate to **SSL**, select certificate, click **Deploy**.
2. Select **Azure Key Vault**.
3. Choose **Credential Name** or add new Azure credential:

![deploy-azure-key-valut-1](https://www.manageengine.com/key-manager/help/images/deploy-azure-key-valut-1.png)

Required details:
1. Credential Name
2. Subscription ID
3. Directory ID
4. Application ID
5. Key

4. Select **Key Vault**.

![deploy-azure-key-valut-2](https://www.manageengine.com/key-manager/help/images/deploy-azure-key-valut-2.png)

5. Enter **Certificate Name** and click **Deploy**.

**Note:** Certificate names should contain only alphanumeric characters and dashes. Do not include PII or sensitive information.

Manage via **Integrations >> Azure >> Azure Key Vault**.

## 11. Azure Application

*(Feature available from build 7050 and above only)*

1. Navigate to **SSL** and select certificate.
2. Click **Deploy** → **Azure Application**.
3. Select **Application Name**.

![deploy-azure-cert-app-1](https://www.manageengine.com/key-manager/help/images/deploy-azure-cert-app-1.png)

4. Enter **Description** (optional) and click **Deploy**.

**Note:** The application must have an associated private key. If not available, refer to https://www.manageengine.com/key-manager/help/manage-azure-app.html#updateprivatekey.

The deployed certificate will reflect in the Azure portal and can be managed via Key Manager Plus.