Integration with Telia

Maintaining a threat-free network requires more than just securing your domains with SSL certificates. For organizations that manage a large SSL environment, the process of purchasing, deploying, and renewing SSL certificates is often cumbersome, time-consuming, and hardly straightforward. Oversight, manual errors, improper configuration, weak ciphers, and expiration lead to downtime, compliance issues, and security breaches. Certificate life-cycle management is a practice that streamlines the certificate management process by automating the acquisition, issuance, deployment, renewal, and revocation of certificates. Key Manager Plus facilitates end-to-end certificate life-cycle management for your public-facing websites by integrating with the Certificate Authority, Telia, from where you can procure domain-validated certificates, deploy, track, request alerts on expiry, and renew certificates directly from the Key Manager Plus interface.

Before you proceed with the integration, complete the following step as it is a prerequisite to integrate Telia ACME with Key Manager Plus.

Prerequisite

Add the following base URL and port as an exception in your firewall or proxy to ensure Key Manager Plus can connect to Telia CA Services.
URL: https://acme.trust.telia.com/directory
Port: 443

This help document covers the following topics in detail:

  1. Registering Telia Account in Key Manager Plus
  2. Creating a Certificate Request
  3. Telia Challenge Verification
  4. Procuring and Saving Certificates
  5. Renewing Certificates
  6. Revoking Certificates
  7. Deleting Certificates
  

1. Registering Telia Account in Key Manager Plus

Before you can proceed with requesting certificates from Telia CA, you should register your Telia user account in Key Manager Plus. This is a one-time setup process that can be completed from the Key Manager Plus web interface. Follow these steps to register your Telia user account:

  1. Log in to your Key Manager Plus account and navigate to Integrations >> ACME Integrations >> Telia >> Manage.
  2. In the page that appears, click the New Registration button in the top pane under the Account tab.
  3. In the Registration page, specify the following details:
    • Name - Specify the display name for the Telia user account.
    • Email - Enter the registered email address associated with the Telia account.
    • EAB KID - Enter the External Account Binding Key ID provided by Telia.
    • EAB HMAC Key - Specify the HMAC key associated with the EAB KID, issued by Telia for secure account binding.
  4. After entering the necessary details, click on the Subscriber Agreement link, read through the specified terms and conditions, enable the Accept Telia Subscriber Agreement checkbox, and click Register.
  5. When the Acknowledgment pop-up appears, click Confirm. Your Telia account will be successfully registered.

After registering your account, you can update the email address, delete your Telia account from Key Manager Plus, or deactivate it if required. To add the same account again in Key Manager Plus, export the key, click the Add Account button, and enter the account details as specified above.

Notes:

  1. Deleting an account removes it only from Key Manager Plus and the account will remain active in the Telia portal.
  2. If you choose the Deactivate option while deleting the account, your Telia account will be permanently removed from the Key Manager Plus database, and you cannot add it back using the same details.
  3. Only users with Administrator privileges can create, add, or manage a Telia account in Key Manager Plus.
  4. Only one Telia account can be registered from the Key Manager Plus web interface.

2. Creating a Certificate Request

After registering your Telia account, you can raise certificate requests directly from the Key Manager Plus interface. Once the request is submitted, you will be presented with a domain control validation challenge, which should be completed for Telia to validate your domain and issue the certificate. Follow these steps to raise a certificate request and fulfill the challenge:

  1. Navigate to Integrations >> ACME Integrations >> Telia and click the Certificate Request button.
  2. In the page that appears, specify the Common Name and SAN, select the challenge type, key algorithm, algorithm length, signature algorithm, and keystore type, specify the keystore password, and click Create.
  3. If you have selected the challenge type as dns-01, you should assign a DNS account. In the DNS page that appears, select the DNS account from the provided drop-down option if you have already configured your DNS credentials in Key Manager Plus. The selected credentials will be used to automatically verify the challenge for all the domains specified in the certificate request.
  4. Additionally, Key Manager Plus allows you to change the private key whenever the certificate is renewed.
    • Use the New Key option if you want to change the key.
    • Use the Same Key option if you want to retain the same key received upon renewal.
    • Alternatively, use the Import Key option to use your own key. The provided key will be used for the first time when the certificate is generated and for the subsequent renewals.

Note: Key Manager Plus supports wildcard certificate requests for DNS-based challenges. For wildcard certificate requests, enter the common name in the format *.domainname.com.

Follow these steps to configure your DNS account:

  1. Navigate to Integrations >> ACME Integrations >> Telia >> Manage, switch to the DNS tab, and click the Add button. Here, you can add a maximum of one DNS account for each supported DNS provider.
  2. In the pop-up window that appears, choose the desired DNS provider, specify the necessary details as mentioned in this section, and click the Save button to add the desired DNS account successfully.

Note: Currently, Key Manager Plus supports automatic challenge verification for Azure DNS, CloudFlare DNS, Amazon Route 53 DNS, RFC2136 DNS update (nsupdate), GoDaddy DNS, and ClouDNS.

2.1 Azure DNS

Enter the following details to add an Azure DNS account:

  1. Subscription ID - Enter the Azure subscription ID associated with the DNS zone. The subscription ID is available on the Overview page of the Azure DNS Zone.
  2. Directory ID - Enter the Azure Active Directory (tenant) ID. The Directory ID is available under Azure Active Directory >> Properties.
  3. Application ID - Enter the application ID of the Azure AD application with access to the DNS zone.
  4. Key - Enter the client secret generated for the Azure AD application.
  5. Resource Group Name - Enter the name of the Azure resource group where the DNS zone is hosted.

If you do not have an existing Azure application, follow the steps mentioned in this link to create the Azure application and key, and assign the required permissions to the DNS zones to enable API calls.

After entering the above details, click the Save button. The DNS account will be added successfully, and you can view it under Manage >> DNS.

2.2 Cloudflare DNS

Enter the following details to add a CloudFlare DNS account:

  1. Email Address - Enter the email address associated with your Cloudflare account.
  2. Global API Key - Enter the Cloudflare Global API key used to authenticate API requests. Use the Generate API Key option on the Cloudflare DNS domain overview page to generate the key.

After entering the above details, click the Save button. The DNS account will be added successfully, and you can view it under Manage >> DNS.

2.3 AWS Route 53 DNS

Generate and specify the following details associated with your AWS account in the respective fields and click Save.

  1. Access Key ID - Enter the AWS Access Key ID associated with the IAM user.
  2. Secret - Enter the Secret Access Key generated for the IAM user.

The DNS account will be added successfully, and you can view it under Manage >> DNS.

If you do not have an AWS Route 53 DNS account, follow these steps to create an account and generate the Access Key ID and Secret:

  1. Log in to the AWS console, navigate to IAM Services >> Users, and click the Add User button.
  2. In the window that appears, specify the username and select Programmatic Access as the access type.
  3. Switch to the next tab, click Attach existing policies directly under Set Permissions, and search for AmazonRoute53FullAccess. Assign the listed policy and switch to the next tab.
  4. Under the Tags section, add the appropriate tags (optional) and switch to the next tab.
  5. Review all the provided information and click Create user. Your user account will be created, and subsequently, an access key ID and a secret will be generated.
  6. Copy and save the Access Key ID and Secret in a secure location, as it will not be displayed again.

If you have an AWS user account, grant the AmazonRoute53FullAccess permission to the user and generate an access key if the user does not have one. If the user account has an associated access key, ensure that the necessary permissions are granted. Follow these steps to grant the necessary permission to your AWS account:

  1. Navigate to the Permissions tab, select the required user account, and click Add Permission.
  2. Click Attach existing policies under Set Permissions and search for AmazonRoute53FullAccess.
  3. Assign the listed policy and click Save.
  4. To generate the access key, Select the user account and navigate to the Security Credentials tab.
  5. In the window that appears, click the Create access key button. An access key ID and a secret will be generated.
  6. Copy and save the Access Key ID and Secret in a secure location, as it will not be displayed again.

2.4 RFC 2136 Update

Enter the following details to automate the DNS-based domain control validation procedure in Key Manager Plus if you are using open source DNS servers such as Bind, PowerDNS, etc., that support RFC2136 DNS update. These details are usually found in the server installation directory. For instance, in the case of the Bind9 DNS server, you can find these details in the file named local.conf within the DNS server installation directory.

  1. DNS Server IP/Host Name - Specify the hostname or IP address of the machine where the DNS server is running.
  2. Key Secret - Enter the secret key generated for TSIG authentication to approve DNS record updates.
  3. Key Name - Provide the TSIG key identifier associated with the DNS server configuration.
  4. Algorithm - Specify the hashing algorithm used for TSIG key generation (e.g., HMAC-MD5, HMAC-SHA1, HMAC-SHA256).

2.5 GoDaddy

Enter the following details to add a GoDaddy DNS account:

  1. Key - Enter the GoDaddy API key used to authenticate API requests.
  2. Secret - Enter the GoDaddy API secret associated with the above key.

Follow these steps to obtain the GoDaddy API credentials:

  1. Go to the GoDaddy developer portal and switch to the API keys tab.
  2. Log in to your GoDaddy account if you are not logged in already.
  3. Once you log in, you will be redirected to the API keys page, where you can create and manage API keys. Click Create New API key.
  4. In the window that appears, specify your application name, choose the environment type as Production, and click Next. The API key and its secret will be generated.
  5. Copy and save the secret in a secure location, as it will not be displayed again.

2.6 ClouDNS

Choose between one of the following options: Auth ID, Sub Auth ID, or Sub Auth User, and specify its password:

  1. Auth ID / Sub Auth ID / Sub Auth User - Enter the corresponding authentication identifier obtained from the ClouDNS Reseller API configuration.
  2. Auth Password - Specify the password associated with the selected authentication ID.

Follow these steps to obtain the ClouDNS API credentials:

  1. Log in to your ClouDNS account and go to Reseller API.
  2. If you have already created an API user ID, it will be listed under API Users. If not, click the Create API button to generate new API credentials.

Refer to the CloudDNS documentation for more information about API Auth IDs.

2.7 DNS Made Easy

Enter the following details to add a DNS Made Easy account:

  1. Name - Enter a display name for identifying the DNS Made Easy account in Key Manager Plus.
  2. Key - Enter the DNS Made Easy API key used for authentication.
  3. Secret - Enter the API secret associated with the specified API key.

Notes:

  1. One certificate can secure up to 100 domains. You can enter a maximum of 100 names in the Domain Name field, out of which the first name is considered as the common name and the rest are treated as Subject Alternative Names (SAN).
  2. Key Manager Plus supports http-01 and dns-01-based domain validations. Choose the challenge type based on your requirements.
  3. For dns-01-based domain validation, if you are using your configured DNS account for challenge verification, ensure that the status of the selected DNS account is marked as Enabled under Manage >> DNS.
  4. The option to change the private key currently works only for certificates with the RSA key algorithm.

3. Telia Challenge Verification

Key Manager Plus expedites domain validation through automatic verification of http-01 and dns-01 challenges (currently supported for Azure, Cloudflare, Amazon Route 53, RFC2136 DNS update, GoDaddy DNS, ClouDNS). For the automation to take effect, you have to initially map the end-server details to Key Manager Plus, which is a one-time process.

3.1 Domain Validation through http-01 Challenge Verification

Follow these steps to validate your domain using an http-01 challenge:

  1. In the window that appears, the challenge to be completed is displayed.
  2. Click the Agent Mapping icon beside the http-01 challenge.
  3. In the pop-up window that appears, if the domain server is a Linux machine, specify the necessary details and click Save.
  4. If the domain server is a Windows machine, you should download and install the Key Manager Plus agent for the Windows server.

The Key Manager Plus agent package is a .zip file containing the necessary executables and configuration files required to verify the Telia challenges through automatic domain validation. Unzip the file and install the agent on your Windows domain server after the download is complete.

Follow these steps to download the Key Manager Plus agent for Windows Server:

  1. Navigate to Integrations >> ACME Integrations >> Telia, and click the Manage button in the top right corner.
  2. Switch to the Windows Agents tab.
  3. Download the Key Manager Plus agent from the top right corner of the window based on your server compatibility (32-bit or 64-bit).

Follow these steps to install the Key Manager Plus agent as a Windows service:

  1. Open the command prompt and navigate to the <Key-Manager-Plus-Installation_Directory>.
  2. Execute the command AgentInstaller.exe start.

Follow these steps to stop the Key Manager Plus agent and uninstall the Windows service:

  1. Open the command prompt and navigate to the <Key-Manager-Plus-Installation-Directory>.
  2. Execute the command AgentInstaller.exe stop.
  3. If the domain server is a Windows machine, download and install the Windows agent on the domain server. Navigate to Manage >> Windows Agents, download and install the agent on the domain server.
  4. Once the above agent mapping settings are configured (agent mapping is a one-time configuration), Key Manager Plus automatically handles the verification of challenges presented by Telia.
  5. After configuring agent mapping, click the Pending button on the Domain Control Validation Challenges page and click Verify. The challenge will be verified, and a certificate request will be submitted to Telia CA.

3.2 Domain Validation through dns-01 Challenge Verification

Follow these steps to validate your domain using a dns-01 challenge:

  1. Navigate to Integrations >> ACME Integrations >> Telia tab and click on the request status (Pending) corresponding to the certificate request. You will be redirected to a window that displays the DNS challenge value and the TXT record.
  2. If you have already configured your DNS account details and have opted for DNS while creating the certificate request, you can assign the DNS account to the request.
  3. Select the request, click on the More button in the top pane, choose Assign DNS from the displayed options, and select the required DNS account.
  4. Key Manager Plus provides an option for automating dns-01 challenge verification through agent mapping, which you can use if you do not have a configured DNS account or opted out of it while raising the certificate request
  5. Click on the Agent Mapping icon on the left side of the request. Agent mapping is a one-time configuration.

Follow the steps below to deploy and map the agent and save the end-server details in Key Manager Plus. In the Deploy window that opens, specify the following information to map and save your end-server details in Key Manager Plus.

  1. Challenge Type - The challenge type will be auto-selected depending on the DNS challenge you accepted.
  2. Domain Name - Enter the domain name in this field.
  3. DNS Provider - Select the desired DNS provider from the drop-down field.
    • If you choose Azure DNS, specify the subscription ID, directory ID, application ID, application key, and the resource group name.
    • If you choose Cloudflare DNS, enter the email address associated with your Cloudflare account and the global API key.
    • If you choose Amazon Route 53 DNS, enter the access key ID and secret associated with your AWS account.
  4. Enable the Deploy Certificate check-box to automate certificate deployment to their corresponding end-servers after domain validation and successive renewals.
  5. For Linux end-servers, provide the required details, and for Windows end-servers, download and install the Key Manager Plus Windows agent using the same procedure as mentioned for the http-01 challenge.
  6. After entering the necessary details, click Save. The end-server details are successfully mapped and stored in Key Manager Plus, which you can view or edit by navigating to Integrations >> ACME Integrations >> Telia >> Manage >> Deploy.

Notes:

  1. You can request and acquire certificates only for public domains using the Telia integration.
  2. The handling of challenges can be performed manually without automation. Copy and paste the challenge values/text records manually into your domain server. Then, in the Key Manager Plus server, navigate to the Pending Requests page and click Verify. The challenge will be verified, and a certificate will be issued.
  3. Key Manager Plus automates challenge verification using DNS for a certificate request only when Agent mapping is not available. Challenge verification is automated through agents if agent details are available in the Manage >> Deploy tab.
  4. Currently, Key Manager Plus agents are only available for Windows servers.
  5. For RFC2136 DNS update, if you have opted for Global DNS configuration, the domain name itself acts as the zone name (Global DNS configuration is possible only if you are using the same key secret for all zones). Whereas, if you have opted for domain-agent mapping, you should provide the Zone Name, Key Name, and Key Secret for each domain separately.

4. Procuring and Saving Certificates

Follow these steps to procure and save a certificate to the Key Manager Plus repository:

  1. On successful verification, Telia issues the requested certificate.
  2. The window automatically redirects to a page that displays the certificate and its status. The status is marked Available if the challenge verification is successful, and Failed if the challenge verification fails.
  3. Click the Available button to save the certificate to the Key Manager Plus repository, e-mail it, or export it.
  4. If the challenge fails, click the New challenge button to obtain another set of challenges and repeat the above process.
  5. Upon saving, the certificate is added to the Key Manager Plus repository, which can be viewed from the SSL >> Certificates tab.

5. Renewing Certificates

Certificates issued by Telia have a lifetime of ninety days, after which they are not valid. The domain authentication validity period is sixty days, i.e., the user should fulfill the challenge verification once every sixty days to prove their ownership of the domain. Certificate renewals can be carried out manually or automatically through automatic domain validation.

5.1 Certificate Renewal

Follow these steps to renew a certificate:

  1. Navigate to Integrations >> ACME Integrations >> Telia.
  2. Select the certificate you want to renew and click the Renew Certificate button. Once the renewal is complete, the certificate status will be displayed as Renewed in the Certificate Status bar.
  3. Click on Renewed to save the renewed version of the certificate to the Key Manager Plus repository.

Note: The certificate should be saved after renewal to update the certificate in the Key Manager Plus repository. If the renewed certificate is not saved, only the older version of the certificate will be available.

5.2 Automated Certificate Renewal

Follow these steps to configure the auto-renewal process for the desired certificates:

  1. Navigate to Integrations >> ACME Integrations >> Telia >> Manage and click the Auto-Renewal button in the top pane.
  2. In the page that appears, enable the Auto-Renew toggle switch.
  3. Enter the number of days before expiry, when the auto-renewal process should be carried out in the respective field.
  4. Select the desired certificates you want to auto-renew and click Save.

Based on the configured details, the auto-renewal process will be carried out. Click the Auto-Renewal Audit to get insights about the certificates renewed through the auto-renewal process. Upon successful auto-renewal, the certificate will be automatically deployed to the respective server based on the system-defined schedule interval. You can view the deployment status for each server in the Auto-Deployment Audit section.

5.3 Certificate Renewals through Automatic Domain Validation

If agent mapping is configured, the certificate renewal process will be performed automatically without manual intervention. All the certificates in your organization procured from Telia are automatically renewed every 75 days. i.e., 15 days before its expiry, and a notification is sent to the account holder's e-mail address.

Note: Automatic renewals are applicable only for those certificates saved in the Key Manager Plus repository. i.e., after procuring a certificate from Telia, you should save it for the auto-renewal process to take effect.

6. Revoking Certificates

Revoking a certificate renders the certificate invalid, and the deployed server or website will no longer support HTTPS communication. Follow these steps to revoke a certificate:

  1. Navigate to Integrations >> ACME Integrations >> Telia.
  2. Select the certificate you want to revoke and click Revoke Certificate. The selected certificate will be revoked and will no longer be valid.

7. Deleting Certificates

Deleting a certificate will remove it from the Key Manager Plus repository, but the certificate will remain valid. Follow these steps to delete a certificate:

  1. Navigate to Integrations >> ACME Integrations >> Telia.
  2. Select the certificate you want to delete and click More >> Delete. The certificate will be deleted from the Key Manager Plus repository.
Top