# Integrating ZeroSSL Certificate Authority with Key Manager Plus Cloud Key Manager Plus Cloud facilitates integration with [ZeroSSL](https://zerossl.com/documentation/acme/index.html) — the certificate authority (CA) that uses the Automatic Certificate Management Environment (ACME) protocol to provide secure SSL certificates free of cost. This integration helps you achieve an end-to-end life cycle management of ZeroSSL certificates installed on your domains from a single interface. This document details the steps to establish a connection with your ZeroSSL account, acquire, deploy, renew and perform all certificate management related operations from Key Manager Plus Cloud. Follow the step-by-step procedure below to integrate ZeroSSL with Key Manager Plus Cloud: 1. [Creating a ZeroSSL Account](#creating-a-zerossl-account) 2. [Creating a Certificate Request](#creating-a-certificate-request) 3. [Procuring and Saving Certificates](#procuring-and-saving-certificates) 4. [Managing Certificates Issued by ZeroSSL CA](#managing-certificates-issued-by-zerossl-ca) ## 1. Creating a ZeroSSL Account To begin the process of requesting SSL certificates from ZeroSSL, you should create a ZeroSSL account (skip to the next section if you already have an account). This is a one-time process and can be done directly from the Key Manager Plus Cloud interface. To create a ZeroSSL account, follow the steps below: 1. Navigate to **Integrations >> ACME Integrations >> ZeroSSL >> Manage**. 2. Under the **Account** tab, click **New Registration**. ![ca-zerossl-1](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-zerossl-1.png) 3. In the pop-up window that opens, enter an account name and a valid email address. Enter your EAB KID and EAB HMAC Key. Click [here](https://app.zerossl.com/login?u=https%3A%2F%2Fapp.zerossl.com%2Fdeveloper) to generate EAB KID and HMAC Key for your account, if you do not have one already. 4. Enable the checkbox to accept the ZeroSSL subscriber agreement and click **Register**. Now, an account with ZeroSSL is created. Users can update the account email address, delete it from Key Manager Plus Cloud, or deactivate the account entirely. Please note that deleting the account only removes it from Key Manager Plus Cloud. Even if the account is deleted here, it will still be active on the ZeroSSL portal. To add the same account back to Key Manager Plus Cloud, export the key and use the **Add Account** option with the same details used before. However, if the **Deactivate** option is enabled while deleting the account, then the ZeroSSL account will be removed completely and cannot be added back to Key Manager Plus Cloud with the same details. **Caution** - For each new account registration, a new EAB KID has to be created. After successfully registering for an account, the same EAB HMAC key cannot be used again. Click [here](https://zerossl.com/documentation/acme/generate-eab-credentials/) to read the ZeroSSL document for more details. - Only administrators can perform the above operation. Also, only one ZeroSSL account can be created from Key Manager Plus Cloud. ## 2. Creating a Certificate Request Once your ZeroSSL account is registered, you can proceed with raising certificate requests to the CA. To complete a certificate request, you will be presented with a challenge verification to fulfill in order to validate your domain and issue the certificate you have requested. Follow the steps below to raise a certificate request: 1. Navigate to **Integrations >> ACME Integrations >> ZeroSSL** and click **Certificate Request**. 2. On the page that appears, fill in the **Common Name, SAN**, select the **Challenge Type, Key Algorithm, Algorithm Length, Signature Algorithm, Keystore Type**, and enter the **Keystore Password**. ![ca-zerossl-2](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-zerossl-2.png) 3. For dns-01 challenge type, choose and assign a DNS account from the dropdown if there is already a DNS account configured. This will be used for automatic challenge verification for all the domains specified in the request. For information about adding a DNS account in Key Manager Plus Cloud, refer to [this document](https://www.manageengine.com/key-manager/help-cloud/configure-dns-account.html). 4. Click **Create** to create a certificate request. 5. In addition, users have options to change the private key whenever the certificate is renewed. 1. Select **New Key** to change the key on each renewal. 2. Select **Same Key** to retain the key on each renewal. 3. Select **Import Key** to use your own key. This key will be used for the first time when the certificate is generated and also for subsequent renewals. Upon creating a certificate request, you have to verify the ownership of your domain through HTTP-01 and DNS-01 challenges (currently Azure, Cloudflare, Amazon Route 53, RFC 2136 DNS update, GoDaddy DNS, ClouDNS, and DNS Made Easy). For the process to take effect, you have to initially map the end-server details to Key Manager Plus Cloud, which is a one-time process. For more details about domain verification and challenge deployment, refer to [this document](https://www.manageengine.com/key-manager/help-cloud/ssl-integrations-dcv.html). ## 3. Procuring and Saving Certificates On successful verification, ZeroSSL issues the requested certificate and the window automatically redirects to a page which displays the certificate and its status (status is marked as **Available** if the challenge verification is successful, and **Failed** if the challenge verification failed). To procure and save the certificate, follow the steps below: 1. Click the **Available** button to save the certificate in Key Manager Plus Cloud and email or export it. 2. On saving, the certificate gets added, which can be viewed from the **SSL >> Certificates** tab. 3. If the challenge fails, click **New challenge** to obtain another set of challenges and repeat the above process. ## 4. Managing Certificates Issued by ZeroSSL CA This section explains how to renew, revoke, and delete certificates issued by ZeroSSL CA. **Additional Detail** To view the history of the certificates issued by ZeroSSL CA, click the **Certificate History** icon in the certificate list. ### 4.1 Renewing Certificates Certificates issued by ZeroSSL have a life-time of 90 days after which they are not valid. To renew a certificate manually, follow these steps: 1. Navigate to **Integrations >> ACME Integrations >> ZeroSSL**. 2. Select the certificate you want to renew and click **Renew Certificate** from the top menu. ![ca-zerossl-3](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/ca-zerossl-3.png) 3. Once the renewal is complete, the certificate status will be updated to **Renewed** in the **Certificate Status** bar. 4. Click on it to save the renewed version of the certificate to Key Manager Plus Cloud. **Caution** The certificate should be saved after renewal in order to be updated in the certificate inventory. Else, only the old version of the certificate will continue to remain in the inventory. ### 4.2 Revoking Certificates Revoking a certificate renders the certificate invalid and immediately removes the HTTPS from the website. To revoke a certificate, follow the steps below: 1. Navigate to **Integrations >> ACME Integrations >> ZeroSSL**. 2. Select a certificate you want to revoke and click **Revoke Certificate** from the top menu. The certificate will be revoked and no longer remains valid. ### 4.3 Deleting Certificates Deleting a certificate removes the certificate from Key Manager Plus Cloud, but the certificate remains valid. To delete a certificate, follow the steps below: 1. Navigate to **Integrations >> ACME Integrations >> ZeroSSL**. 2. Select the certificate you want to delete and click **More >> Delete**. 3. In the confirmation pop-up that appears, click **OK**. Now, the certificate will be deleted from Key Manager Plus Cloud.