- Mail Server Settings
- Proxy Server Settings
- Privacy Settings
- SSL Settings
- Policy Configuration
- Notification Policy
1. Mail Server Settings
After installation, you need to carry out certain basic settings. The first setting is related to configuring the mail server to let Key Manager Plus send emails directly from within the application without the need of an external mail client. You need to configure the SMTP server details as given in the steps below. Key Manager Plus users can be notified regarding schedules, policy enforcements, and reports, only through email. The same settings are also used while exporting the certificate, digital key files via email; and also for the Forgot Password option in the login page.
To set/modify the mail server settings:
- Navigate to the Settings >> General Settings >> Mail Server tab in the GUI.
- Enter the server name and specify the port used for communication. Enter the User Name and Password for authentication.
- Enter the from and to mail addresses.
- Click the Test Mail button to send a test mail to the address specified, and verify the settings.
- Click the Save button.
You will get a confirmation that the mail server settings have been updated.
2. Proxy Server Settings
You then need to specify how you want to connect to the Internet - directly or over a proxy.
To set/modify the proxy server settings:
- Navigate to the Settings >> General Settings >> Proxy Server tab in the GUI.
- You can connect to the Internet either directly or using a proxy server.
- If you choose to connect using proxy server, enter the details of the server, and the user credential.
- Click Save.
You will get a confirmation message that the proxy server settings have been updated.
2.1 SNMP Settings
Key Manager Plus facilitates raising SNMP traps to management systems within your network for various key and certificate management operations performed from within the application. On the occurrence of a configured operation, an SNMP v2c trap is sent to the specified host and port. The varbinds include the name of the user who operated, date and time and the reason of the operation that resulted in the event.
To configure your SNMP server details,
- Navigate to Settings >> General Settings >> SNMP in Key Manager Plus web interface.
- Specify the hostname of the SNMP manager, port number and specify the SNMP community string.
- Click Save.
You will get a confirmation message that the SNMP server details have been configured.
2.2 Syslog settings
You can configure Key Manager Plus to generate and send RFC-3164 compliant Syslog messages to a dedicated server and port within your network. Syslog notification can be configured for the occurrence of key / certificate expiration, and for various other key / certificate management operations performed from the product.
To configure Syslog settings,
- Navigate to Settings >> General Settings >> SysLog Settings in Key Manager Plus web interface.
- Specify the IP address of the syslog server and the port number.
- Click Save.
You will get a confirmation message that the Syslog server details have been configured.
Click here to learn more about privacy settings.
4. SSL Settings
Key Manager Plus provides certain settings exclusive to SSL related operations that can be customized based on user requirements. They are:
4.1 Certificate History
Key Manager Plus allows you to group the certificates under a common name. To enable this,
- Navigate to Settings >> SSL >> Certificate History.
- Choose Enable or Disable the Group Certificates by CommonName option.
- Enabling the option will group the certificates under one Common Name.
- Disabling this option will create new certificates based on the unique Serial Numbers assigned to the certificates.
- To view these certificates, navigate to SSL >> Certificates and enable Certificate History from column chooser.
- Now, click the certificate history icon corresponding to the required certificate to view the certificates.
Note: On certificate renewal, the older version of the renewed certificate will be moved to Certificate History.
4.2 Vulnerability Scan
- Key Manager Plus provides users with the option to enable or disable the SSL vulnerability tasks created in schedules.
- There is an option to enable or disable SSLv3 protocol in Key Manager Plus server.
Note: The SSLv3 protocol should be enabled in Key Manager Plus server in order to perform the SSL vulnerability scan in target resources. By default, this setting is turned off.
4.3 SSL Fingerprint
By default, the SSL certificates in Key Manager Plus are configured with SHA1 fingerprint value. If you need your SSL certificates to be updated with SHA256 fingerprint value for increased security reasons, follow the below steps:
- Navigate to 'Settings >> SSL >> SSL Fingerprint'.
- Select the SHA256 fingerprint value and click Save.
- Post this change, the SSL certificates generated or imported into Key Manager Plus will have SHA256 as the fingerprint value.
- If you want to change your preexisting SSL certificates to SHA256 fingerprint value, enable the checkbox 'Change the Certificate fingerprint for all the existing certificates' before changing the fingerprint value.
4.4 Certificate Renewal
Key Manager Plus provides an option to automatically renew SSL certificates issued by Microsoft Certificate Authority and certificates self-signed from within the Key Manager Plus UI. When enabled, the corresponding certificates are renewed according to the recurrence time specified, and updated in Key Manager Plus certificate repository. The certificates that are due to expire in the number of days mentioned in the Days to Expire field will also be auto-renewed. Select the checkbox to Exclude auto-renewal certificates from email notifications. This allows the certificates marked for auto-renewal to be excluded from the email notifications even if they fall under the expiry notification configuration. Select the Send expiry notification for the previous version after the successful renewal option to send expiry notification emails for the previous versions of the certificates after their renewal.
Note: For successful Microsoft CA auto renewal, ensure that the domain administrator account is used as Key Manager Plus service logon account.
4.5 Certificates Sync Status
Key Manager Plus allows users to perform periodic and automatic checks on the synchronization status on the SSL certificates deployed to multiple servers. When enabled, Key Manager Plus gives you options to check for out-of-sync servers and delete the servers in which there is a certificate mismatch. Follow the below steps to enable certificate sync status check:
- Navigate to 'Settings >> SSL >> Certificates Sync Status'.
- Click Enable and enter a recurrence time interval in hours or minutes.
- Check only the Non-Sync servers - select this option to check and consolidate only the out-of-sync servers.
- Delete the server if Non-Sync - select this option to delete the servers that are found to have a certificate mismatch after the synchronization check.
- Enter an email address in the field 'Send Email Notification'. Once added with the configured recurrence time interval, the list of all the SSL certificates with their deployed servers will be sent, to the given email address, with the following details: days to expire, date of expiry, serial number, and fingerprint.
- Click Disable to stop the synchronization check.
4.6 ACME Providers
With the Automated Certificate Management Environment (ACME) of Key Manager Plus, the system's certificate management capabilities are significantly elevated. ACME streamlines the entire process of acquiring, renewing, and revoking SSL/TLS certificates. This automation of the certificate lifecycle management effectively reduces the administrative burden associated with manual certificate provisioning. Just as with its integration with renowned certificate authorities like Let's Encrypt, Buypass Go SSL, and ZeroSSL, which offer automated SSL/TLS certificate management, you have the flexibility to incorporate other ACME service providers into Key Manager Plus. This empowers you to efficiently manage certificates with automated precision. To do so,
- Navigate to Settings >> SSL Settings >> ACME Providers.
- On the page that opens, click Add ACME Provider.
- In the dialogue box that opens,
- Enter the ACME Provider Name.
- Enter a valid ACME Directory URL.
- Upload a logo as desired with the specified limit.
- Enable the Allow Internal Network/LAN Access if you are in the same provider URL network/LAN.
- Click Save to add the ACME provider to Key Manager Plus.
- Now, navigate to SSL >> ACME and select the added ACME provider.
- In the window that opens, follow the configuration process, such as account addition, challenge verification, and managing certificates similar to other third-party certificate authorities from here.
Note: Automatic renewals are applicable only for those certificates saved in the Key Manager Plus repository. If agent mapping has been configured, the certificate renewal process is done automatically without manual intervention. All the certificates in your organization procured from the ACME providers will be automatically renewed 15 days before their expiry, and a notification will be sent to the accounts holder's e-mail address.
4.7 Excluded Certificates
Key Manager Plus allows users to exclude specific SSL certificates from being imported into the certificate repository during discovery or manual addition.
To list a certificate that needs to be excluded:
- Navigate to Settings >> SSL >> Excluded Certificates.
- Click Add.
- Specify the common name, certificate serial number, reason, and click Save.
- The specified certificate is excluded from being imported into Key Manager Plus certificate repository during discovery / manual addition.
4.8 IIS Binding
Key Manager Plus allows users to deploy SSL certificates to the IIS server and also perform IIS binding. Click here for detailed steps on IIS binding. Once the server details are saved in the SSL tab, they will also be available in the Settings page. To deploy and bind certificates in bulk, follow the below steps:
- Navigate to Settings >> SSL >> IIS Binding.
- The details of servers to which you have deployed certificates will be listed here. Click the Edit icon beside a server and edit attributes such as Path, Site Name, Host Name, Port and Certificate. You cannot edit the Server Name. Select the Restartsite checkbox to restart the site automatically and click Save.
- Select multiple servers by clicking the checkboxes beside them and click Deploy And Bind from the top bar.
Now, the SSL certificates will be deployed to the associated server and IIS binding to the specified site will be complete.
Key Manager Plus allows the administrators to grant and revoke access to the operators to sign the CSRs' created by them.
- Navigate to Settings >> SSL >> Approval.
- In Signing Approval Settings, Enable/Disable certificate sign permission for the operator globally and click Save.
5. Policy Configuration
Key Manager Plus allows you to create a high level policy on SSH keys management. You can specify whether to retain or overwrite the existing keys. That means, when Key Manager Plus creates new keys if they are to be appended to the existing ones or they should be deleted. The second option helps you to remove all existing keys and have a fresh start. Your SSH environment will have only the keys that were generated by the Key Manager Plus. Key Manager Plus carries out these changes in the authorized_keys file directly.
From the Policy configuration tab in the GUI, you can set the option for adding keys to the authorized_keys file. You can choose from:
- Append – Allows you to retain existing keys as well the new ones deployed by Key Manager Plus.
- Overwrite – Removes all existing public key information from the authorized keys file and retains the public keys deployed from Key Manager Plus only. This is what we call as clean start.
To change the policy configuration:
- Navigate to the Settings >> SSH >> Policy Configuration tab in the GUI.
- Select to either Append or Overwrite the keys.
- Click Save.
You will get a confirmation that the policy configuration settings have been updated.
6. Notification Policy
You can set up to get notified via email, syslog messages or SNMP traps in case of any of the following cases:
- If SSL certificates are expiring within a specified number of days.
- If domain names are about to expire within a specified number of days.
- If Azure TLS secrets are expiring within a specified number of days.
- If SSH keys are not rotated for more than a specified number of days.
- For certificate management operations performed from within the application.
- If PGP keys are expiring within a specified number of days. Click here to learn more about PGP keys.
Note: Notifications regarding PGP key expiration will be sent via email only.
To set/modify expiry notification settings:
- Navigate to the Settings >> Notification >> Expiry tab in Key Manager Plus web interface.
- To enable SSL certificate expiry notifications, select the Notify about SSL certificates expiring within checkbox. Choose a value for days. You will get notified about only those certificates whose expiry dates fall within the period (number of days) you enter.
- Notification Email Frequency: Choose to receive notifications either Daily or Customize your notifications.
- If you choose to Customize, set the Interval (in days) to notify about the to-be-expired certificates.
- Select the Email certificates on every schedule if expiry is less than option if you want to receive notifications on all schedules irrespective of the above-set interval.
- Select Exclude expired certificates from email notifications to not get notified about expired certificates.
- Select Include multiple servers list for certificates to get the details about the list of servers where the certificates are placed/deployed.
- Select Send a separate email per certificate to customize each email. You can mention the Subject and/or select the attributes to add in the subject of the expiry notification.
- You can also choose to get notifications regarding domain name expiration, PGP key expiration, TLS secret expiration or SSH key rotation failure for the configured time period or both by selecting the respective check-boxes. Expiring SSL certificates, and the SSH keys that were not rotated within the specified days are notified during the mentioned Recurrence Time.
- You are also allowed to edit the Subject, Title and Signature of your email-notifications accordingly for different expiry notifications.
- You can choose to be notified in two ways:
- E-mail – Enter the from and to addresses. To enter mail server details, go to the Mail Server Settings tab.
- Syslog – Navigate to Settings >> General settings >>Syslog settingsto mention the IP address of the server and the port to which the syslog is to be delivered.(Refer to the format below)
- After filling in the details, click Save.
6.1 Syslog Format
<190> Key_Name:172.21.147.130_test123_id Days_Exceeded:0 Modified_On:2016-02-16 17:41:24.008
<190> Parent_Domain: manageengine.com Included_Domain: kmp.com Days_to_Expire: 100 Expire_Date: 5.08.2017
Note: The number of days specified in the SSH key rotation and SSL certificate expiry notification policy will be applied to the dashboard settings also.
To set/modify audit notification settings:
- Navigate to the Settings >> Notification >> Audit tab in Key Manager Plus web interface.
- You can customize the alert notifications to be received for different types of operations performed in Key Manager Plus.
- Choose the type of notification to be received by enabling the check-boxes beside each operation.
- For SNMP and Syslog notifications, make sure you have already configured the server details under Settings >> General Settings >> SNMP / SysLog settings.
- For email notifications, you can either choose to notify all the administrator users or just a specific set of email IDs by enabling the respective check boxes.
- Once you have specified the choices, click Save.