Integrating ZeroSSL Certificate Authority with Key Manager Plus Cloud

Key Manager Plus Cloud facilitates integration with ZeroSSL — the certificate authority (CA) that uses the Automatic Certificate Management Environment (ACME) protocol to provide secure SSL certificates free of cost. This integration helps you achieve an end-to-end life cycle management of ZeroSSL certificates installed on your domains from a single interface. This document details the steps to establish a connection with your ZeroSSL account, acquire, deploy, renew and perform all certificate management related operations from Key Manager Plus Cloud.

Follow the step-by-step procedure below to integrate ZeroSSL with Key Manager Plus Cloud:

  1. Creating a ZeroSSL Account
  2. Creating a Certificate Request
  3. Procuring and Saving Certificates
  4. Managing Certificates Issued by ZeroSSL CA

1. Creating a ZeroSSL Account

To begin the process of requesting SSL certificates from ZeroSSL, you should create a ZeroSSL account (skip to the next section if you already have an account). This is a one-time process and can be done directly from the Key Manager Plus Cloud interface. To create a ZeroSSL account, follow the steps below:

  1. Navigate to Integrations >> ACME Integrations >> ZeroSSL >> Manage.
  2. Under the Account tab, click New Registration.
    ca-zerossl-1
  3. In the pop-up window that opens, enter an account name and a valid email address. Enter your EAB KID and EAB HMAC Key. Click here to generate EAB KID and HMAC Key for your account, if you do not have one already.
  4. Enable the checkbox to accept the ZeroSSL subscriber agreement and click Register.

Now, an account with ZeroSSL is created. Users can update the account email address, delete it from Key Manager Plus Cloud, or deactivate the account entirely. Please note that deleting the account only removes it from Key Manager Plus Cloud. Even if the account is deleted here, it will still be active on the ZeroSSL portal.

To add the same account back to Key Manager Plus Cloud, export the key and use the Add Account option with the same details used before. However, if the Deactivate option is enabled while deleting the account, then the ZeroSSL account will be removed completely and cannot be added back to Key Manager Plus Cloud with the same details.

Caution

  • For each new account registration, a new EAB KID has to be created. After successfully registering for an account, the same EAB HMAC key cannot be used again. Click here to read the ZeroSSL document for more details.
  • Only administrators can perform the above operation. Also, only one ZeroSSL account can be created from Key Manager Plus Cloud.

2. Creating a Certificate Request

Once your ZeroSSL account is registered, you can proceed with raising certificate requests to the CA. To complete a certificate request, you will be presented with a challenge verification to fulfill in order to validate your domain and issue the certificate you have requested.

Follow the steps below to raise a certificate request:

  1. Navigate to Integrations >> ACME Integrations >> ZeroSSL and click Certificate Request.
  2. On the page that appears, fill in the Common Name, SAN, select the Challenge Type, Key Algorithm, Algorithm Length, Signature Algorithm, Keystore Type, and enter the Keystore Password.
    ca-zerossl-2
  3. For dns-01 challenge type, choose and assign a DNS account from the dropdown if there is already a DNS account configured. This will be used for automatic challenge verification for all the domains specified in the request. For information about adding a DNS account in Key Manager Plus Cloud, refer to this document.
  4. Click Create to create a certificate request.
  5. In addition, users have options to change the private key whenever the certificate is renewed.
    1. Select New Key to change the key on each renewal.
    2. Select Same Key to retain the key on each renewal.
    3. Select Import Key to use your own key. This key will be used for the first time when the certificate is generated and also for subsequent renewals.

Upon creating a certificate request, you have to verify the ownership of your domain through HTTP-01 and DNS-01 challenges (currently Azure, Cloudflare, Amazon Route 53, RFC 2136 DNS update, GoDaddy DNS, ClouDNS, and DNS Made Easy). For the process to take effect, you have to initially map the end-server details to Key Manager Plus Cloud, which is a one-time process. For more details about domain verification and challenge deployment, refer to this document.

3. Procuring and Saving Certificates

On successful verification, ZeroSSL issues the requested certificate and the window automatically redirects to a page which displays the certificate and its status (status is marked as Available if the challenge verification is successful, and Failed if the challenge verification failed).

To procure and save the certificate, follow the steps below:

  1. Click the Available button to save the certificate in Key Manager Plus Cloud and email or export it.
  2. On saving, the certificate gets added, which can be viewed from the SSL >> Certificates tab.
  3. If the challenge fails, click New challenge to obtain another set of challenges and repeat the above process.

4. Managing Certificates Issued by ZeroSSL CA

This section explains how to renew, revoke, and delete certificates issued by ZeroSSL CA.

Additional Detail

To view the history of the certificates issued by ZeroSSL CA, click the Certificate History icon in the certificate list.

4.1 Renewing Certificates

Certificates issued by ZeroSSL have a life-time of 90 days after which they are not valid.

To renew a certificate manually, follow these steps:

  1. Navigate to Integrations >> ACME Integrations >> ZeroSSL.
  2. Select the certificate you want to renew and click Renew Certificate from the top menu.
    ca-zerossl-3
  3. Once the renewal is complete, the certificate status will be updated to Renewed in the Certificate Status bar.
  4. Click on it to save the renewed version of the certificate to Key Manager Plus Cloud.

Caution

The certificate should be saved after renewal in order to be updated in the certificate inventory. Else, only the old version of the certificate will continue to remain in the inventory.

4.2 Revoking Certificates

Revoking a certificate renders the certificate invalid and immediately removes the HTTPS from the website.

To revoke a certificate, follow the steps below:

  1. Navigate to Integrations >> ACME Integrations >> ZeroSSL.
  2. Select a certificate you want to revoke and click Revoke Certificate from the top menu.

The certificate will be revoked and no longer remains valid.

4.3 Deleting Certificates

Deleting a certificate removes the certificate from Key Manager Plus Cloud, but the certificate remains valid.

To delete a certificate, follow the steps below:

  1. Navigate to Integrations >> ACME Integrations >> ZeroSSL.
  2. Select the certificate you want to delete and click More >> Delete.
  3. In the confirmation pop-up that appears, click OK.

Now, the certificate will be deleted from Key Manager Plus Cloud.




Top