SSL and SSH Settings

Key Manager Plus offers a range of configurable settings tailored specifically for managing SSL and SSH operations. These settings enable users to customize and optimize their security workflows based on organizational requirements. The following key configurations are available within the SSL and SSH settings, and these settings allow organizations to maintain secure and efficient SSL and SSH certificate management, reducing operational risks and ensuring compliance with security best practices.

1. Certificate History
2. Vulnerability Scan
3. SSL Fingerprint
4. Certificate Renewal
5. Certificate Sync Status
6. ACME Providers
7. Excluded Certificates
8. IIS Binding
9. Operator Settings
10. Policy Configuration

1. Certificate History

Key Manager Plus allows you to group the certificates under a common name. To enable this, 

1. Navigate to Settings >> SSL >> Certificate History.
2. Choose Enable or Disable the Group Certificates by CommonName option. 
3. Enabling the option will group the certificates under one Common Name.
4. Disabling this option will create new certificates based on the unique Serial Numbers assigned to the certificates.
5. To view these certificates, navigate to SSL >> Certificates and enable Certificate History from column chooser.
6. Now, click the certificate history icon corresponding to the required certificate to view the certificates.

2. Vulnerability Scan

1. Key Manager Plus provides users with the option to enable or disable the SSL vulnerability tasks created in schedules. 
2. There is an option to enable or disable SSLv3 protocol in Key Manager Plus server.

3. SSL Fingerprint

By default, the SSL certificates in Key Manager Plus are configured with SHA1 fingerprint value. If you need your SSL certificates to be updated with SHA256 fingerprint value for increased security reasons, follow the below steps:

1. Navigate to 'Settings >> SSL >> SSL Fingerprint'.
2. Select the SHA256 fingerprint value and click Save.
3. Post this change, the SSL certificates generated or imported into Key Manager Plus will have SHA256 as the fingerprint value.
4. If you want to change your preexisting SSL certificates to SHA256 fingerprint value, enable the checkbox 'Change the Certificate fingerprint for all the existing certificates' before changing the fingerprint value.

4.  Certificate Renewal

Key Manager Plus provides an option to automatically renew SSL certificates issued by Microsoft Certificate Authority and certificates self-signed from within the Key Manager Plus UI. When enabled, the corresponding certificates are renewed according to the recurrence time specified, and updated in Key Manager Plus certificate repository. The certificates that are due to expire in the number of days mentioned in the Days to Expire field will also be auto-renewed. Select the checkbox to Exclude auto-renewal certificates from email notifications. This allows the certificates marked for auto-renewal to be excluded from the email notifications even if they fall under the expiry notification configuration. Select the Send expiry notification for the previous version after the successful renewal option to send expiry notification emails for the previous versions of the certificates after their renewal.

5. Certificates Sync Status

Key Manager Plus allows users to perform periodic and automatic checks on the synchronization status on the SSL certificates deployed to multiple servers. When enabled, Key Manager Plus gives you options to check for out-of-sync servers and delete the servers in which there is a certificate mismatch. Follow the below steps to enable certificate sync status check:

1. Navigate to 'Settings >> SSL >> Certificates Sync Status'.
2. Click Enable and enter a recurrence time interval in hours or minutes.
   1. Check only the Non-Sync servers - select this option to check and consolidate only the out-of-sync servers.
   2. Delete the server if Non-Sync - select this option to delete the servers that are found to have a certificate mismatch after the synchronization check.
3. Enter an email address in the field 'Send Email Notification'. Once added with the configured recurrence time interval, the list of all the SSL certificates with their deployed servers will be sent, to the given email address, with the following details: days to expire, date of expiry, serial number, and fingerprint.
4. Click Disable to stop the synchronization check.

6. ACME Providers

With the Automated Certificate Management Environment (ACME) of Key Manager Plus, the system's certificate management capabilities are significantly elevated. ACME streamlines the entire process of acquiring, renewing, and revoking SSL/TLS certificates. This automation of the certificate lifecycle management effectively reduces the administrative burden associated with manual certificate provisioning. Just as with its integration with renowned certificate authorities like Let's Encrypt, Buypass Go SSL, and ZeroSSL, which offer automated SSL/TLS certificate management, you have the flexibility to incorporate other ACME service providers into Key Manager Plus. This empowers you to efficiently manage certificates with automated precision. To do so,

1. Navigate to Settings >> SSL Settings >> ACME Providers. On the page that opens, you will find a list of default ACME providers.
2. On the page that opens, click Add ACME Provider.
   
3. In the dialogue box that opens,
   1. Enter the ACME Provider Name.
   2. Enter a valid ACME Directory URL.
      

      Note: If the directory URL is modified by the ACME provider, updating the modified URL here will retrieve all the URLs relevant to the ACME operations.

   3. Upload a logo as desired with the specified limit.
   4. Enable the Allow Internal Network/LAN Access if you are in the same provider URL network/LAN.
   5. Click Save to add the ACME provider to Key Manager Plus.
4. Now, select the added ACME provider.
5. In the window that opens, follow the configuration process, such as account addition, challenge verification, and managing certificates similar to other third-party certificate authorities from here.
   

   Note: Automatic renewals are applicable only for those certificates saved in the Key Manager Plus repository. If agent mapping has been configured, the certificate renewal process is done automatically without manual intervention. All the certificates in your organization procured from the ACME providers will be automatically renewed 15 days before their expiry, and a notification will be sent to the accounts holder's e-mail address.

7. Excluded Certificates 

Key Manager Plus allows users to exclude specific SSL certificates from being imported into the certificate repository during discovery or manual addition. 

To list a certificate that needs to be excluded:

1. Navigate to Settings >> SSL >> Excluded Certificates.
2. Click Add to add a certificate to the excluded list.
3. Specify the Common Name, Certificate Serial Number, Reason, and click Save.
4. The specified certificate is excluded from being imported into Key Manager Plus certificate repository during discovery / manual addition.

8. IIS Binding

Key Manager Plus allows users to deploy SSL certificates to the IIS server and also perform IIS binding. Click here for detailed steps on IIS binding. Once the server details are saved in the SSL tab, they will also be available in the Settings page. To deploy and bind certificates in bulk, follow the below steps:

1. Navigate to Settings >> SSL >> IIS Binding.
2. The details of servers to which you have deployed certificates will be listed here. Click the Edit icon beside a server and edit attributes such as Path, Site Name, Host Name, Port and Certificate. You cannot edit the Server Name. Select the Restartsite checkbox to restart the site automatically and click Save.
3. Select multiple servers by clicking the checkboxes beside them and click Deploy And Bind from the top bar.

Now, the SSL certificates will be deployed to the associated server and IIS binding to the specified site will be complete.

9. Operator Settings

Key Manager Plus grants administrators the permission to Allow or Deny access to the operators for signing CSRs' created by them and/or mandate templates for CSR creation.

1. Navigate to Settings >> SSL >> Operator Settings.
2. In the Operator Settings pop-up that appears,
   
   1. Select the Certificate signing permission option to Allow to enable users with the Operator role to sign the CSRs' created by them.
   2. Allow the Mandate templates for CSR creation setting to provide operators the permission to create CSR only using templates shared by the administrators. However, with this option enabled, operators cannot edit the values of the shared CSR templates.
      

      Note: By default, the Mandate templates for CSR creation option in Operator Settings is set to Deny, allowing operators to create CSRs independently or using the available templates with the editable fields as needed.