SSL Certificate Deployment

In general, SSL certificates procured from Certificate Authorities (CAs) are stored in a repository and then manually deployed on appropriate target systems. Key Manager Plus deploys the certificates from the repository on the correct target systems automatically. You can use Key Manager Plus to deploy the certificates on the various systems individually, or in bulk, based on your requirements. Also, you can use the Key Manager Plus agent to deploy certificates on servers that reside in demilitarized zones outside of the domain where the Key Manager Plus server is present.

Steps to Deploy Certificates on Different Target Systems

Follow the below steps to deploy an SSL certificate on various target systems:

Navigate to SSL >> Certificates.
Select the checkbox beside the certificate to be deployed.
Click Deploy.
In the drop-down, choose the required server type:

Notes:

For deploying certificates on Windows systems, MS Certificate Store and Internet Information Services (IIS), use your domain administrator account as the service login account of Key Manager Plus.
If you are using a domain service account to run Key Manager Plus, ensure you already have it configured in your local admin group.

1. Windows Server

To deploy certificates on a Windows server, choose the server type as Windows.
Select the Deployment Type as Single, Multiple (servers) or Agent as per your need.

i. For single server deployment, provide the required details: Server Name, User Name, Password, Path. You can optionally enable Certificate to choose the File Type and mention the Certificate File Name or/and enable JKS/PKCS to choose the Keystore Type and mention the Store File Name.

ii. If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.

windows-deployment-a

windows-deployment

iii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, User Name, Password, Path, Certificate File Name (optional), Keystore File Name (optional). You can optionally enable Certificate to choose the File Type or/and enable JKS/PKCS to choose the Keystore Type.

[OR]

Follow this format to use the Key Manager Plus service account credentials instead: Server name, SERVICE_AUTH, Path, Certificate File Name (optional), Keystore File Name (optional).

3. If you choose the Deployment Type as Agent, choose the host name of the KMP agent from the Select Agent drop-down, enter the destination file path in the agent machine. If a destination path is not mentioned, the agent installation path will be taken as default. You can optionally enable Certificate to choose the File Type and mention the Certificate File Name or/and enable JKS/PKCS to choose the Keystore Type and mention the Store File Name.

4. Click Save to save the agent details.

After providing the details, click Deploy. The certificate is deployed on the specified server/agent in the specified path.

Note: For file-based deployment, if the Certificate and Keystore file names are not provided, or if multiple certificates are selected for deployment, the Common Name will be used as the file name.

2. Microsoft Certificate Store

1. To deploy certificates on the MS Certificate store, choose the server type as Microsoft Certificate Store.

2. Select the Deployment Type as Single, Multiple (servers), or Agent as per your need.

i. For single server deployment, provide the required details: Server Name, User Name, Password, Path.

ii. If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.

iii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, User Name, Password, Path.

[OR]

Follow this format to use the Key Manager Plus service account credentials instead: Server Name, SERVICE_AUTH, Path.

iv. If you choose the Deployment Type as Agent, choose the host name of the KMP agent from the Select Agent drop-down.

v. Select Computer and/or User account to deploy the certificate to the selected account.

Note: For Agent deployment, the latest version of Key Manager Pus agent(6160) should run in the user account to which the certificates are to be deployed.

vi. Now, select Enable PrivateKey Export from MS Store after deployment to export private key from the certificate store.

3. Click Save to save the agent details. After providing the details, click Deploy.

The selected certificates are deployed in Personal Certificates.

3. Internet Information Services (IIS)

Follow the below steps to deploy a certificate on the IIS server. However, this procedure will only deploy the certificate to the server; IIS binding must be done separately.

To deploy certificates on a Microsoft IIS server, select a certificate with a Keystore file and click Deploy >> Internet Information Services (IIS).
Select the Deployment type as Single, Multiple servers, or Agent as per your need.

i. For single server deployment, provide the required details: Server Name, User Name, Password, Path.

ii. If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.

iii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, User Name, Password, Path.

[OR]

Follow this format to use the Key Manager Plus service account credentials instead: Server Name, SERVICE_AUTH, Path.

3. Specify the name of the IIS server to which the certificate needs to be deployed, provide the user account credentials, and specify a path in the server where the certificate must be placed.

4. Click Deploy. Now, the selected certificate will be deployed to the specified IIS server.

4. IIS Binding

Follow the below steps to deploy a certificate to the IIS server and bind the certificate to a site running in that server.

Note: IIS Binding for the Deployment Type Single will work only if the IIS server and Key Manager Plus are in the same domain, which has ASP.Net of .Net Framework version 4 or above enabled. However, if an IIS Server resides in a demilitarized zone, choose the Deployment Type as Agent and proceed with the steps for the same given below.

asp-net

To deploy certificates on a Microsoft IIS server and perform IIS binding, choose the server type as IIS Binding.
If you choose the deployment type as Single, enter the required details: Server Name, User Name, Password.

iis-binding-1

Specify the name of a valid IIS server to which the certificate needs to be deployed, and provide the user account credentials.
Specify a path in the server where the certificate must be placed.
If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.

iis-binding-1a

If you choose the Deployment Type as Multiple (Server), click Browse to upload a file and click Update Binding.
1. You can login using three different ways: with Credentials, using Service Authentication, or using Agent. Upload the file with the content in the following format:
  1. For Single certificate selection,
    <servername>, <CREDENTIALS>, <site name>, <binding information>, <server credentials>, <temp path>
    (and/or)
    <servername>, <SERVICE_AUTH>, <site name>, <binding information>, <temp path>
    (and/or)
    <servername>, <AGENT>, <site name>, <binding information>
  2. For Multiple certificate selection, include <domain name> in the above format
    Example: testServer,CREDENTIALS,test.com,Default Web Site,*:443:myhost,testUSer,testPwd,C:\
  3. For Multiple certificates with same common name, include <domain name> along with the <serial number> in the above format.
    Example: testServer,SERVICE_AUTH,test.com,se123245d,Default Web Site,*:443:myhost,C:\
If the IIS Server resides in a demilitarized zone, choose the Deployment Type as Agent. Select an agent from the drop-down. Click Get Sites And Bindings to list all sites and their respective bindings available in the selected server. Enter the name of a site in the Site Name field, click Get Bindings to list all the bindings available for that site.
Here, to add new bindings, click Add New Bindings and enter attributes such as Host Name, Port, IP Address, and select a certificate. Select the checkbox to Require Server Name Indication while configuring and updating IIS Binding. The newly added bindings will be visible under Settings >> SSL >> IIS Binding. The new site bindings added in Key Manager Plus will not reflect in the IIS server until they are deployed to the server using the Deploy and Bind option.
To populate the list of sites associated with the IIS server, click Get Site Names and choose a site from the drop-down. To enter a site name manually in the SiteName field, click Hide List, type in the site name and click the Get Bindings option.
Enter the Host Name, IP Address and Port of the site manually.
Select the Restart Site option to restart the site automatically.
Click Add Binding/Update Binding to deploy the certificate at the path specified in your IIS server and complete IIS site binding.
To update multiple bindings, select the required bindings from the list, click Save. Go to Settings >> SSL >> IIS Binding, select the bindings and click Deploy and Bind.

To save the specified details and deploy the certificate later, click Save. The server details and the respective site details will be available under Settings >> SSL >> IIS Binding.

iis-binding-2

To edit the binding details, click the Edit icon beside a server. In the window that opens, modify any of the given details and click Save. Now, select the server name and click Deploy And Bind from the top bar. The selected certificate will be deployed on the servers and the IIS binding will be updated in the IIS server.

Details of sites and IIS bindings displayed in the IIS Binding table above are local to Key Manager Plus. To update the binding entries here with the entries from IIS server, select the required entries and click Update Binding.

Deleting entries from the above table will not remove any data from the IIS server.

5. Linux Server

To deploy certificates on a Linux server, choose the server type as Linux.
Select the Deployment type as Single or Multiple servers as per your need.

i. For single server deployment, provide the required details: Server Name, Port (port 22 is assigned by default), User Name, Password, Path. You can optionally enable Certificate to choose the File Type and mention the Certificate File Name or/and enable JKS/PKCS to choose the Keystore Type and mention the Store File Name.

linux-deployment

ii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, Port, User Name, Password, Path, Certificate File Name (optional), Keystore File Name(optional). You can optionally enable Certificate to choose the File Type or/and enable JKS/PKCS to choose the Keystore Type.

You can also opt for a key-based authentication for password-less servers by choosing the Import Key credential type. Upload the private key associated with the required user account in the target system and provide the key passphrase.
After providing the details, click Deploy. The certificate is deployed on the specified server in the specified path.

Notes:

Key-based authentication option is available for single server deployment type only.
The private key uploaded during key-based authentication is for one-time use only and is not stored anywhere in the Key Manager Plus database. If you wish to add it to the Key Manager Plus repository, you can manually do so by using the Import option from the SSH tab.

6. Browser

To deploy certificates on a browser, choose the deploy type as Browser.
Select the Server Type as Windows, Linux or Mac OS as per your need.
If the server type is Windows,
1. Mention the Server Name, User Name, Password and Path.
2. If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the User Name and Password separately, as the service account credentials used for Key Manager Plus will be used here too.
If the server type is Linux,
1. Enter the Server Name, Port, User Name, Password and Path.
2. Select the required Browser(s) (Firefox or/and Chrome) where the certificate is to be deployed.
3. If you select Firefox, mention the Profile name. Click Get Profiles to choose from available profiles.
  
  Note: Get Profiles option gets all profiles path from profiles.ini file from the following location:
  Windows: APPDATA\Mozilla\Firefox\profiles.ini
  Linux: $HOME/.mozilla/firefox/profiles.ini
  Mac: $HOME/Library/Application Support/Firefox/profiles.ini
4. Mention the NSS Tools Path.
  
  Notes:
  • In Linux, Chrome and Firefox use NSS shared DB to manage the certificates. This NSS tool can be installed using the following command: sudo apt-get install libnss3-tools
  • For Chrome, the certificate is deployed in NSS DB in the following path: $HOME/.pki/nssdb.
  • For Firefox, Profiles folder contains the NSS DB to manage certificates.
5. You can also opt for a key-based authentication for password-less servers by choosing the Import Key credential type. Upload the private key associated with the required user account in the target system and provide the key passphrase.
If the server type is Mac OS,

Enter the Server Name, Port, User Name, Password and Path.
Select the required Browser(s) (Firefox or/and Safari/Chrome) where the certificate is to be deployed.
If you select Firefox, mention the Profile name and NSS Tools Path. Click Get Profiles to choose from available profiles.
If you select Safari/Chrome you can choose to Use the login password for Keychain login or mention the Login Keychain Password.

Note: For Safari and Chrome, Mac OS uses System Keychain to manage certificates. For Firefox, NSS DB from profiles manages the certificates. To install NSS utils, use the following command: brew install nss.

Click Deploy.

Now, you have successfully deployed the certificate to the selected browsers.

7. ManageEngine MDM

To learn about deploying certificates to ManageEngine MDM, click here.

8. AWS-ACM

To learn about deploying certificates to AWS-ACM, click here.

9. Load Balancer

Select a certificate and click Deploy >> Load Balancer from the dropdown.
In the pop-up that appears, select the Citrix ADC as the Load Balancer Type.
Select the required Citrix Credential List from the dropdown.
Click Manage Credentials to add or delete a credential.
1. In the pop-up that appears, click to Add and mention the Credential Name, Server Name, Citrix Username and Citrix Password.
2. Click Test Login to test the credential and click Save Credentials.
3. To Delete a credential, select a credential you want to delete and click Delete and in the pop-up that appears click Ok.
Enter the Citrix Password and a Passphrase. You can also use the Generate Password icon to generate a secure passphrase.
During Citrix load balancer discovery using REST API, you can choose to bypass your proxy server settings by selecting the Bypass Proxy Settings checkbox. This option is allows you to bypass the proxy server you have enabled under Admin Settings directly perform Citrix load balancer discovery through the internet.
Select Service Deploy. In the pop-up that appears, select the services to deploy the load balancer and click Select Services.
Select Virtual Server Deploy. In the pop-up that appears, select the virtual servers to deploy the load balancer and click Select Virtual Servers.
Click Deploy.

Now, you have successfully deployed the certificate to the selected LoadBalancer.

10. FortiGate Firewall

Select a certificate and click Load Balancer from the Deploy drop-down.
In the pop-up that appears, select the FortiGate Firewall under the Load Balancer Type.
Select the required FortiGate Credential from the FortiGate Credentials List drop-down.
Click Manage Credentials to add or delete a credential. In the pop-up that appears:
1. To add a credential, click Add and enter the Credential Name, Server IP, and API Key.
2. Click Save Credentials to add a new FortiGate Firewall credential.
3. To delete a credential, select a credential that you want to delete and click Delete.
4. In the pop-up that appears, click Ok to delete the selected credential.
If the certificate has a keystore file, select the Upload Type as Regular. Else, select the Upload Type as Remote.
In addition, you can bypass your proxy server settings by enabling the Bypass Proxy Settings checkbox. This option allows you to bypass the proxy server that you have enabled under Admin Settings directly, to deploy the certificate to the FortiGate Firewall through the internet.
Click Deploy to deploy the selected certificate to the FortiGate Firewall.