# Integrating Entrust Certificate Authority with Key Manager Plus Cloud Key Manager Plus Cloud facilitates integration with Entrust Certificate Authority, a prominent provider of SSL/TLS certificates and digital identity solutions. This integration harnesses the Entrust API, empowering users to effortlessly request, acquire, import, renew, and reissue certificates directly from Key Manager Plus Cloud. Streamline the lifecycle management of certificates in your environment by leveraging a range of operations supported through this integration. This document guides you through the steps to effectively handle the lifecycle of SSL or TLS certificates issued by Entrust CA, encompassing tasks such as importing existing orders, creating new certificate requests, and managing the certificates. Refer to the sections that follow to learn more about Entrust integration and certificate management with Key Manager Plus Cloud: 1. [Adding Entrust Certificate Authority Details](#adding-entrust-certificate-authority-details) 2. [Importing Existing Certificate Orders](#importing-existing-certificate-orders) 3. [Creating a New Certificate Order](#creating-new-certificate-order) 4. [Checking Order Status](#checking-order-status) 5. [Updating Certificate Status](#updating-certificate-status) 6. [Managing Certificates Issued by Entrust CA](#managing-certificates-issued-by-entrust-ca) ## 1. Adding Entrust Certificate Authority Details To begin managing SSL certificates issued by Entrust from Key Manager Plus Cloud, users should add their Entrust account in Key Manager Plus Cloud via your unique API Key. If there is no Entrust account, contact the Entrust team to sign up and get the login credentials. Upon getting an Entrust account, follow the steps below to generate an API key to begin the integration process. 1. Log in to your Entrust account. 2. Navigate to **Administration >> Advanced Settings >> API** and click **Generate credentials**. 3. In the dialogue box that opens, enter the API Key details and click **Generate**. 4. Upon generation, users will get a username and an API Key to use the Entrust platform via REST API. **Additional Detail** Refer to this [Entrust documentation](https://files.entrust.com/webhelp/ECS/legacy/en/cms/index_csh.htm#rhsearch=generate%20api%20credentials&t=CMS_User_Guide%2FManaging_users%2FAdding_an_API_administrator.htm&ux=search) for more information about generating an API key from the Entrust portal. Now, log in to the Key Manager Plus Cloud and add the Entrust credential with the unique username and API key by performing the below steps: 1. Navigate to **Integrations >> Public CA Integrations >> Entrust** and click **Manage**. 2. In the new page that appears, click **Add** to add an Entrust credential. 3. In the dialogue box that opens, enter the **Credential Name, Username, and API Key** and click **Save**. This is a one-time operation. ![ca-entrust-1](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-entrust-1.png) 4. Users can also click **Test Login** to check the communication between the Entrust and Key Manager Plus Cloud. Once the Entrust account details are linked to Key Manager Plus Cloud, the system retrieves vital information such as domains, organizations, and products (certificate profiles) and organizes them under the individual tabs with corresponding details. These details are crucial as Entrust issues certificates based on them. For further manual synchronization, use the **Sync** option under each tab for **Organizations, Domains, and Products**. Alternatively, users can also sync **Organizations, Domains**, or **Products** for a particular credential directly from the **Credentials** tab. Upon successfully linking the Entrust account with Key Manager Plus Cloud, users can start importing existing certificates orders or creating new certificate orders directly from Key Manager Plus Cloud. ## 2. Importing Existing Certificate Orders If the users have an active Entrust account, it is likely that they currently have ongoing certificate orders. Key Manager Plus Cloud offers the convenience of not only initiating new certificate orders but also importing and effectively managing all existing orders from the Entrust portal through its user-friendly interface. To import the existing certificate orders, follow these steps: 1. Navigate to the **Integrations >> Public CA Integrations >> Entrust** window. 2. Click **More >> Import Existing Orders** from the top menu. ![ca-entrust-2](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-entrust-2.png) 3. Select the **API Credential**, enable the necessary exclusions, and click **Import**. This process ensures that all the prevailing certificate orders linked to your Entrust account are seamlessly imported into Key Manager Plus Cloud for streamlined management. ## 3. Creating a New Certificate Order To place a new certificate order in Entrust from Key Manager Plus Cloud, follow these steps: 1. Navigate to the **Integrations >> Public CA Integrations >> Entrust** tab and click **Order Certificate** from the top menu. ![ca-entrust-3](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-entrust-3.png) 2. In the window that opens, select the **Credential Name, Organization, Product, Domain**, and **Extended Key Usage** attributes accordingly. 3. Select the CSR from Key Manager Plus Cloud and provide the corresponding **Private Key** and **Private Key** passwords as desired. Users also have the option to either input the CSR content directly or choose the CSR created via Key Manager Plus Cloud, eliminating the need to select it from your local files. 4. Select the required **Signature Algorithm** and **Expiration Date**. 5. Enter the **Certificate Friendly Name, Requester Name, Email**, and **Phone** details accordingly as required. 6. Complete any additional fields mandated by your Entrust administrator to proceed with creating the certificate order. 7. Enable the following checkboxes as required: 1. **I agree to queue the request for Entrust Administrator approval - The certificate order request will be queued for approval by an Entrust administrator.** 2. **I agree to send the certificate content for CT Logs - The contents of the certificate, including hostnames, will be publicly visible.** 8. Verify your details and click **Order Certificate**. **Additional Detail** If you find any mismatch in the Entrust-related details (Organization/Product/Domain) displayed here, please verify the details in the Entrust portal and then perform a manual sync under **Entrust >> Manage** in Key Manager Plus Cloud to refresh the details. For assistance with any other discrepancies related to the Entrust account, please contact the Entrust customer support team. ## 4. Checking Order Status Once a certificate order is successfully created, you can view it under the **Integrations >> Public CA Integrations >> Entrust** window, with its status displayed to the right. To track the certificate availability for an order, select the order and click **Check Order Status** from the top pane. Once a certificate is issued, it is fetched and added to Key Manager Plus Cloud. Users can view it under **SSL >> Certificates**. **Additional Detail** The certificates issued are automatically added to Key Manager Plus Cloud only if there is enough license count. If not, users should renew their Key Manager Plus Cloud license before attempting to import any certificates. However, it does not delete the certificate request from Entrust — the certificate can still be viewed and managed from the Entrust portal. ## 5. Updating Certificate Status Utilize the **Update Certificate Status** option in the top menu to validate certificates based on your specific needs. **Approve, Decline, Suspend**, or **Resume** certificate orders as necessary. Please note that administrative privileges from an Entrust credential are essential within Key Manager Plus Cloud to execute these actions. If an administrative privileged credential is not present in Key Manager Plus Cloud, the user possessing administrative privileges in Entrust can alternatively perform these actions directly through the Entrust portal. ![ca-entrust-4](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-entrust-4.png) ## 6. Managing Certificates Issued by Entrust CA If the private key associated with a certificate is compromised or lost, it is essential to renew, reissue, revoke, or delete the certificate accordingly to maintain security best practices. Users can directly perform these actions in Key Manager Plus Cloud using the Entrust integration with a valid privileged Entrust credential. ### 6.1 Renewing Certificates **6.1.1 Manual Certificate Renewal** Perform the following actions to manually renew an Entrust-issued SSL certificate through Key Manager Plus Cloud: 1. Navigate to **Integrations >> Public CA Integrations >> Entrust**. 2. Select the desired certificate and click **Renew Certificate** from the top menu. 3. Enter the required information on the subsequent page and click **Renew Certificate**. ![ca-entrust-5](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-entrust-5.png) Upon successful validation, the certificate will be renewed and added to the Key Manager Plus Cloud certificate inventory. **Caution** Ensure that the renewed certificate is deployed in the exact location where the previous certificate was in use. This step is crucial to maintain a secure and consistent connection. Follow the instructions specified [here](https://www.manageengine.com/key-manager/help-cloud/deploy-ssl-certificates.html) to ensure a proper certificate deployment. **6.1.2 Automated Certificate Renewal** Before configuring the auto-renewal process for Entrust-issued SSL certificates, perform the following actions: 1. Navigate to **Integrations >> Public CA Integrations >> Entrust >> Manage**. 2. Click the **View Custom Fields** icon of a credential. 3. Click the **Sync** button to import any newly added custom fields from Entrust into Key Manager Plus Cloud. 4. On the **Custom Fields** page, click **Set Custom Field Values** to add the default values to the Entrust custom fields. ![ca-entrust-6](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-entrust-6.png) 5. Users can either enter the default values or enable the **Ignore the Default Value if the custom field has an existing value** checkbox to use the existing value associated with the respective custom field during certificate renewal. 6. Click **Save** to apply the changes. Follow these steps to configure the auto-renewal process for the desired Entrust-issued SSL certificates: 1. Navigate to **Integrations >> Public CA Integrations >> Entrust >> Manage**. 2. On the page that appears, click the **Auto-Renewal** tab and toggle on the **Auto-Renew** button. 3. Enter the number of days before expiry when the auto-renewal process should be carried out. 4. Select the certificates you want to auto-renew and set the validity. 5. Click **Save** to apply the auto-renewal configuration for the selected Entrust certificates. 6. Tick the checkbox below the Save button to trigger email notifications for auto-renewal failures. **Caution** Do not attempt to manually renew the orders that are configured with the **Auto-Renewal** process. Based on the configured details, the auto-renewal process will be carried out. Click **Auto-Renewal Audit** to get insights about the certificates renewed through the auto-renewal process. ### 6.3 Reissuing Certificates Reissuing a certificate in Key Manager Plus Cloud generates a new certificate with the same information, such as an organization name, domain name, expiry date, etc., with a new key pair, thus preventing unauthorized access and misuse of the compromised key. To reissue a certificate, follow the steps below: 1. Navigate to **Integrations >> Public CA Integrations >> Entrust**. 2. Select the required certificate and click **Reissue Certificate** from the top menu. 3. On the page that opens, fill in the necessary information and click **Reissue Certificate**. Upon successful validation, the certificate will be issued and automatically included in Key Manager Plus Cloud. **Caution** Ensure that the reissued certificate is deployed in the exact location where the previous certificate was in use. This step is crucial for maintaining a secure and consistent connection. Follow the instructions carefully to ensure proper deployment. ### 6.4 Revoking Certificates To revoke a certificate from Key Manager Plus Cloud, perform the following action: 1. Navigate to **Integrations >> Public CA Integrations >> Entrust**. 2. Select the required certificate and click **More >> Revoke Certificate** from the top menu. 3. In the dialog box that appears, select the **Revoke Reason** and **Comments** from the respective dropdowns. Then, click **Revoke**. ![ca-entrust-7](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-entrust-7.png) 4. Upon successful action, the certificate will be revoked. Go to the **SSL >> Certificates** tab and delete the certificate to remove it from Key Manager Plus Cloud. ### 6.5 Deleting a Certificate Order To delete the certificate order from Key Manager Plus Cloud, perform the following action: 1. Navigate to **Integrations >> Public CA Integrations >> Entrust**. 2. Select the required certificated orders and click **More >> Delete** from the top menu. Upon execution, the certificate orders will be deleted from Key Manager Plus Cloud and the related certificate will remain intact in the **SSL** tab. **Additional Detail** The **Delete** option only removes the certificate order from Key Manager Plus Cloud, and you can no longer manage it from Key Manager Plus Cloud. However, it does not delete the certificate order from Entrust — the certificate can still be viewed and managed from the Entrust portal.