|
In general, SSL certificates procured from Certificate Authorities (CAs) are stored in a repository and then manually deployed on appropriate target systems. Key Manager Plus deploys the certificates from the repository on the correct target systems automatically. You can use Key Manager Plus to deploy the certificates on the various systems individually, or in bulk, based on your requirements. Also, you can use the Key Manager Plus agent to deploy certificates on servers that reside in demilitarized zones outside of the domain where the Key Manager Plus server is present.
Follow the below steps to deploy an SSL certificate on various target systems:
i. For single server deployment, provide the required details: Server Name, User Name, Password, Path. You can optionally enable Certificate to choose the File Type and mention the Certificate File Name or/and enable JKS/PKCS to choose the Keystore Type and mention the Store File Name.
ii. If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.
iii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, User Name, Password, Path, Certificate File Name (optional), Keystore File Name (optional). You can optionally enable Certificate to choose the File Type or/and enable JKS/PKCS to choose the Keystore Type.
[OR]
Follow this format to use the Key Manager Plus service account credentials instead: Server name, SERVICE_AUTH, Path, Certificate File Name (optional), Keystore File Name (optional).
3. If you choose the Deployment Type as Agent, choose the host name of the KMP agent from the Select Agent drop-down, enter the destination file path in the agent machine. If a destination path is not mentioned, the agent installation path will be taken as default. You can optionally enable Certificate to choose the File Type and mention the Certificate File Name or/and enable JKS/PKCS to choose the Keystore Type and mention the Store File Name.
4. Click Save to save the agent details.
After providing the details, click Deploy. The certificate is deployed on the specified server/agent in the specified path.
Note: For file-based deployment, if the Certificate and Keystore file names are not provided, or if multiple certificates are selected for deployment, the Common Name will be used as the file name.
1. To deploy certificates on the MS Certificate store, choose the server type as Microsoft Certificate Store.
2. Select the Deployment Type as Single, Multiple (servers), or Agent as per your need.
i. For single server deployment, provide the required details: Server Name, User Name, Password, Path.
ii. If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.
iii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, User Name, Password, Path.
[OR]
Follow this format to use the Key Manager Plus service account credentials instead: Server Name, SERVICE_AUTH, Path.
iv. If you choose the Deployment Type as Agent, choose the host name of the KMP agent from the Select Agent drop-down.
v. Select Computer and/or User account to deploy the certificate to the selected account.
Note: For Agent deployment, the latest version of Key Manager Pus agent(6160) should run in the user account to which the certificates are to be deployed.vi. Now, select Enable PrivateKey Export from MS Store after deployment to export private key from the certificate store.
3. Click Save to save the agent details. After providing the details, click Deploy.
The selected certificates are deployed in Personal Certificates.
Follow the below steps to deploy a certificate on the IIS server. However, this procedure will only deploy the certificate to the server; IIS binding must be done separately.
i. For single server deployment, provide the required details: Server Name, User Name, Password, Path.
ii. If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.
iii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, User Name, Password, Path.
[OR]
Follow this format to use the Key Manager Plus service account credentials instead: Server Name, SERVICE_AUTH, Path.
3. Specify the name of the IIS server to which the certificate needs to be deployed, provide the user account credentials, and specify a path in the server where the certificate must be placed.
4. Click Deploy. Now, the selected certificate will be deployed to the specified IIS server.
Follow the below steps to deploy a certificate to the IIS server and bind the certificate to a site running in that server.
Note: IIS Binding for the Deployment Type Single will work only if the IIS server and Key Manager Plus are in the same domain, which has .Net Framework version 4 or above enabled. However, if an IIS Server resides in a demilitarized zone, choose the Deployment Type as Agent and proceed with the steps for the same given below.
To save the specified details and deploy the certificate later, click Save. The server details and the respective site details will be available under Settings >> SSL >> IIS Binding.
To edit the binding details, click the Edit icon beside a server. In the window that opens, modify any of the given details and click Save. Now, select the server name and click Deploy And Bind from the top bar. The selected certificate will be deployed on the servers and the IIS binding will be updated in the IIS server.
Details of sites and IIS bindings displayed in the IIS Binding table above are local to Key Manager Plus. To update the binding entries here with the entries from IIS server, select the required entries and click Update Binding.
Deleting entries from the above table will not remove any data from the IIS server.
i. For single server deployment, provide the required details: Server Name, Port (port 22 is assigned by default), User Name, Password, Path. You can optionally enable Certificate to choose the File Type and mention the Certificate File Name or/and enable JKS/PKCS to choose the Keystore Type and mention the Store File Name.
ii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, Port, User Name, Password, Path, Certificate File Name (optional), Keystore File Name(optional). You can optionally enable Certificate to choose the File Type or/and enable JKS/PKCS to choose the Keystore Type.
Notes:
Note: Get Profiles option gets all profiles path from profiles.ini file from the following location:
Windows: APPDATA\Mozilla\Firefox\profiles.ini
Linux: $HOME/.mozilla/firefox/profiles.ini
Mac: $HOME/Library/Application Support/Firefox/profiles.ini
Notes:
• In Linux, Chrome and Firefox use NSS shared DB to manage the certificates. This NSS tool can be installed using the following command: sudo apt-get install libnss3-tools
• For Chrome, the certificate is deployed in NSS DB in the following path: $HOME/.pki/nssdb.
• For Firefox, Profiles folder contains the NSS DB to manage certificates.
Note: For Safari and Chrome, Mac OS uses System Keychain to manage certificates. For Firefox, NSS DB from profiles manages the certificates. To install NSS utils, use the following command: brew install nss.