Top

End-to-end certificate life-cycle management

 

Maintaining a threat-free network requires much more than just securing your domains with SSL certificates. For organizations that deal with a large SSL environment, the process of purchasing, deploying and renewing SSL certificates often proves to be cumbersome, time-consuming and has hardly been straightforward. Oversight, manual errors, improper configuration, weak ciphers, and expiration often lead to downtimes, compliance issues and security breaches. Certificate life-cycle management is a practice that streamlines certificate management process by automating acquisition, issue, deployment, re-issue, renewal and revoking of certificates. Key Manager Plus facilitates end-to-end certificate life-cycle management for your public facing websites by integrating with the renowned open Certificate Authority, Let's Encrypt. This means you can procure domain validated certificates from Let's Encrypt for your public domains, deploy, track, request alerts on expiry, renew certificates; everything done entirely from the product interface.

You can request, procure, deploy, monitor, track and renew certificates from Let's Encrypt CA directly from Key Manager Plus interface.

 

Step 1: Create a Let's Encrypt account

The first step in requesting for certificates from Let's Encrypt CA is creating an account with Let's Encrypt. This is a one-time process and can be done from Key Manager Plus interface itself.

To create Let's Encrypt account,

Note: This privilege is available for only the administrator users and only one Let's Encrypt account can be created from Key Manager Plus.

 

Step 2: Raise a certificate request

After creating an account with Let's Encrypt, you have to generate a certificate request. You are then presented with a challenge which you have to fulfill in order for Let's Encrypt to validate your domain and issue the certificate.

Note: Key Manager Plus supports wildcard certificate requests for DNS based challenges. For wildcard certificate requests, enter the common name in the format *.domainname.com

To configure your DNS account,

For Azure DNS,

For Cloudflare DNS

Note :

  • One certificate can secure up to 100 domains. You can enter a maximum of 100 names in the 'domain name' field out of which the first name is considered as the common name and the rest are treated as Subject Alternative Names (SAN).
  • Key Manager plus supports http-01 and dns-01 based domain validations. Choose the challenge type based on your requirements.
  • For dns-01 based domain validation, if you are using your configured DNS account for challenge verification, make sure that the status of the chosen DNS account is marked Enabled under Manage → DNS.
  • Option to change the private key currently works only with the RSA key algorithm.

Step 3: Let's Encrypt challenge verification

Key Manager Plus expedites domain validation through automatic verification of HTTP-01 and DNS-01 challenges (currently Azure and Cloudflare DNS). For the automation to take effect, you have to initially map the end-server details to Key Manager Plus, which is a one-time process.

1.Domain validation through HTTP-01 challenge verification

For domain validation through http-01 challenge

Downloading Key Manager Plus agent for Windows servers:

The Key Manager Plus agent package is a zip file comprising of the necessary executables, configuration files required for automatic verification of Let's Encrypt challenges through automatic domain validation. You have to just unzip and install the agent on your Windows domain server after download. To download the agent,

Installing Key Manager Plus agents for Windows server:

To install Key Manager Plus agent as a Windows service

To stop the agent and uninstall the Windows service

2. Domain validation through DNS-01 challenge verification

For DNS-01 challenge verification from Key Manager Plus,

Agent Mapping

In the Deploy window that opens, carry out the following operations to map and save your end-server details in Key Manager Plus.