Key Manager Plus Cloud Agent

Key Manager Plus Cloud enables users to discover and manage certificates deployed across their network through Key Manager Plus Cloud agents. These lightweight agents can be installed on the remote machine, especially those not directly connected to the server where Key Manager Plus Cloud is hosted, to perform the certificate-related operations seamlessly.

This guide provides step-by-step instructions for installing and managing the Key Manager Plus Cloud Agent on Windows-based remote systems.

At the end of this document, you will have learned the following topics in detail:

1. Installing the Agent
2. Managing the Key Manager Plus Cloud Agents
3. Discovering the Certificates using Agents
4. Signing the Certificates using Agents
5. Deploying the Certificate Group using Agents
6. Deploying the Certificates on Multiple Servers using Agents

1. Installing the Agent

To install the agent on a target server, follow these steps:

1. Navigate to Discovery >> Agent >> Download Windows Agent. You can also download the agent from SSL >> Certificates >> Windows Agents >> Download Windows Agent.
2. From the dialog box that opens, download the executable agent file. The downloaded package already contains the necessary configurations needed to perform the required operations. In addition to it, ensure that the account on the server on which the agent is installed has sufficient privileges to perform certificate discovery. Also, copy and save the install key in a secure location.
   

   Additional Detail

   The install key is automatically revoked after the agent installation. To install the same agent on another server, generate a new install key from the Key Manager Plus Cloud and use it during the next installation.

3. Run the downloaded executable agent file on the machine with the administrator rights.
4. In the installation wizard that opens, continue by specifying the agent installation directory and the copied agent install key to complete the installation.
5. Upon successful installation, any previously installed agent in the endpoint (KMPAgentInstaller) will be removed and the new agent will get started automatically. You can verify the new agent version from the Key Manager Plus Cloud web interface.

After a successful installation, the deployed agent on the endpoint will appear under the SSL >> Certificates >> Windows Agents section in Key Manager Plus Cloud, displaying the relevant endpoint details. If the agent does not appear in the Windows Agents section after the installation, follow the steps below to troubleshoot and reinstall:

1. Open the Command Prompt with administrator privileges and navigate to the folder where the agent is installed. For example: C:\Program Files (x86)\ManageEngine\KMPCLOUDAGENT
2. Execute the following command to run the installer:

   Installer.exe setserverconfig

3. Execute the following command to configure the server IP details for the agent (replace 99.99.99.99 with the IP address of the server where the agent is installed):

   Installer.exe setserverconfig serverip 99.99.99.99

2. Managing the Key Manager Plus Cloud Agents

Key Manager Plus Cloud enables administrators to monitor and manage the agents deployed across various endpoints, providing detailed insights into agent activities and performance. To manage the Key Manager Plus Cloud agents, follow the steps below:

1. Navigate to SSL >> Certificates >> Windows Agents.
2. In the window that appears, you will see a list of all Key Manager Plus Cloud agents installed at the endpoints. For each agent, the following details are displayed:
   • IP Address
   • Username
   • Agent Version
   • Installation Time
   • Heartbeat Interval
   • Last Heartbeat
   • Last Operation Performed
3. To remove any agent from the list, select the desired agent and click Delete from the top menu. In the pop-up that appears, confirm your action to delete the agent.

3. Discovering the Certificates using Agents

To discover certificates via agents, follow the steps below:

1. Navigate to Discovery >> Agent and select the agent installed on the required server. Alternatively, go to SSL >> Certificates >> Windows Agents, choose the agent, and click Discovery.
2. In the pop-up window, choose one of the following discovery methods:
   
   1. DMZ: To discover certificates from servers located in a demilitarized zone,
      1. Select the discovery method: Hostname / IP Address or IP Address Range.
      2. Enter the Hostname/IP Address, Timeout value in minutes, and Port.
      3. Click Discover to discover the certificates.
   2. Certificate Store: To discover the certificates from the local certificate store,
      1. Enter the Store Name and Timeout value.
      2. Click Get Stores to retrieve available store names, select the desired one from the drop-down list, and click Discover.
   3. Microsoft Certificate Authority: To discover the local CA-issued certificates,
      1. Enter the Server Name, Certificate Authority, and select the required filters, such as Expired, Revoked, Date Filter, or Template Name / OID.
      2. If you are using Template Name / OID, enter the template name or click Get Templates to retrieve a list of available templates (select up to five).
      3. Enter the Timeout value in minutes and click Discover.
   4. Directory: To discover certificates from a specific file path,
      1. Enter the Path and Timeout value in minutes.
      2. To import a selected set of certificates from the given path, click Discover certificate list, select the desired certificates, and click Discover.

Once discovered, the certificates are imported into the centralized Key Manager Plus Cloud certificate inventory. To view the certificates, navigate to SSL >> Certificates >> Windows Agents. To view the certificates associated with a specific agent, click the Hosname of that agent.

4. Signing the Certificates using Agents

1. Navigate to SSL >> Certificates >> Windows Agents, select the required Key Manager Plus Cloud agent installed on the endpoint, and click Sign.
   
2. In the pop-up, provide the following:
   1. Server Name and Certificate Authority.
   2. Template Name / OID, or click Get Templates to fetch the available templates.
   3. Timeout (in seconds) - the time within which the agent must respond. If the agent does not respond within the set time, the operation will be audited as failed.
   4. Select the required CSR from the dropdown.
3. Click Sign to sign the certificates using the Key Manager Plus Cloud agent. The certificate will be successfully signed and available in the inventory.

5. Deploying the Certificate Group using Agents

Key Manager Plus Cloud agent allows users to deploy a certificate group directly to a server within the interface. To deploy a certificate group using Key Manager Plus Cloud agent, follow the steps below:

1. Navigate to SSL >> Certificates >> Windows Agents and select the agent installed on the target server.
   
2. Click Deploy and choose the target server from the dropdown.
3. Based on the deployment server, perform the following steps:
   1. Windows: Select the Certificate Group, enter the Path, select the relevant checkboxes: Certificate and/or JKS/PKCS, and choose the appropriate File Type and/or Keystore Type, then click Deploy.
   2. Microsoft Store: Select the Certificate Group and click Deploy.
   3. Internet Information Services (IIS): Select the Certificate Group and click Deploy.
   4. IIS Binding: Select the Certificate Group, enter the Site Name and click Get Bindings.
4. Click Manage to configure the certificate group, and click Save to apply the changes.

Now, the certificates in the group will be deployed and viewable under the SSL tab.

6. Deploying the Certificates on Multiple Servers using Agents

You can deploy the certificates across multiple servers using Key Manager Plus Cloud agents. This feature allows you to add, edit, and sync deployed servers, as well as enable automatic certificate deployment upon renewal. For detailed information, refer to this document.