Integration with Entrust Certificate Authority

Key Manager Plus seamlessly integrates with Entrust Certificate Authority, a prominent provider of SSL/TLS certificates and digital identity solutions. This integration harnesses the Entrust API, empowering users to effortlessly - request, acquire, import, renew, and reissue certificates directly from the Key Manager Plus web interface. Streamline the lifecycle management of certificates in your environment by leveraging a range of operations supported through this integration.

This document guides you through the steps to effectively handle the lifecycle of SSL/TLS certificates issued by Entrust CA, encompassing tasks such as importing existing orders, creating new certificate requests, and managing the certificates.

Refer to the sections that follow to learn more about Entrust integration and certificate management with Key Manager Plus:

1. Entrust Certificate Authority Details in Key Manager Plus
2. Import Existing Entrust Orders
3. Create a New Certificate Order
4. Update Certificate Status
5. Check Order Status
6. Reissue, Renew, Revoke, and Delete Certificates

1. Entrust Certificate Authority Details in Key Manager Plus

To begin managing SSL certificates issued by Entrust from Key Manager Plus, you must add your Entrust account in Key Manager Plus via your unique API Key. If you do not have an Entrust account, contact the Entrust team to sign up and get your login credentials. Once you have your allocated Entrust account, follow the steps below to generate an API key to begin the integration process.

1. Log in to your Entrust account.
2. Navigate to Administration >> Advanced Settings >> API and click Generate credentials.
3. In the dialogue box that opens, enter the API Key details and click Generate.
4. Upon generation, you will get a username and an API Keyto use the Entrust platform via REST API.

   Note: Refer to this Entrust documentation for more information.

Now, log into the Key Manager Plus web interface, and add your Entrust credential with the unique username and API key by performing the below steps:

1. Navigate to SSL >> Entrust and click Manage.
2. In the new page that appears, click Add to add an Entrust credential.
3. In the dialogue box that opens, enter the Credential Name, User Name, and API Key and click Save. This is a one-time operation. You can also click Test Login to check the communication between the Entrust and the Key Manager Plus interface.
   

Once your Entrust account details are linked to Key Manager Plus, the system retrieves vital information such as domains, organizations, and products (certificate profiles) and organizes them under the individual tabs with corresponding details. These details are crucial as Entrust issues certificates based on them. For further manual synchronization, use the Sync option under each tab for Organizations, Domains, and Products. Alternatively, you can also sync Organizations, Domains, or Products for a particular credential directly from the Credentials tab.

2. Import Existing Entrust Orders

If you have an active Entrust account, it is likely that you currently have ongoing certificate orders. Key Manager Plus offers the convenience of not only initiating new certificate orders but also importing and effectively managing all existing orders from the Entrust portal through its user-friendly interface. To import the existing certificate orders:

1. Navigate to the SSL >> Entrust tab in Key Manager Plus.
2. Click More >> Import Existing Orders from the top menu.
3. Select the API Credential, enable the necessary exclusions, and click Import.
   

This process ensures that all the prevailing certificate orders linked to your Entrust account are seamlessly imported into Key Manager Plus for streamlined management.

3. Create a New Certificate Order

Once you have successfully linked your Entrust account with Key Manager Plus, you can start creating new certificate orders directly from the Key Manager Plus interface.

To place a new certificate order in Entrust from Key Manager Plus:

1. Navigate to the SSL >> Entrust tab and click Order Certificate.
2. In the window that opens, select the Credential Name, Organization, Product, Domain, and Extended Key Usage attributes accordingly.
3. Select the CSR from Key Manager Plus and provide the corresponding Private Key and Private Key Password as desired. You also have the option to either paste the CSR content directly or choose the CSR created via Key Manager Plus, eliminating the need to select it from your local files.
4. Select the required Signature Algorithm and Expiration Date.
5. Enter the Certificate Friendly Name, Requester Name, Email, and Phone accordingly as required.
   
6. Complete any additional fields mandated by your Entrust administrator to proceed with creating the certificate order.
7. Enable the following checkboxes as required:
   1. I agree to queue the request for Entrust Administrator approval - The certificate order request will be queued for approval by an Entrust administrator.
   2. I agree to send the certificate content for CT Logs - The contents of the certificate, including host names, will be publicly visible.
8. Verify your details and click Order Certificate.

 

4. Update Certificate Status

Utilize the Update Certificate Status option to validate certificates based on your specific needs. Approve, Decline, Suspend, or Resume certificate orders as necessary. Please note that administrative privileges from an Entrust credential are essential within Key Manager Plus to execute these actions. If an administrative privileged credential is not present in Key Manager Plus, the user possessing administrative privileges in Entrust can alternatively perform these actions directly through the Entrust portal.

5. Check Order Status

Once a certificate order is successfully created, you can view it under the SSL >> Entrust tab, with its status displayed to the right. To track the certificate availability for an order, select the order and click Check Order Status from the top pane. Once a certificate is issued, it is fetched and added to the Key Manager Plus certificate repository. You will be able to view it under SSL >> Certificates.

6. Renew, Reissue, Revoke, and Delete Certificates

If the private key associated with a certificate is compromised or lost, it is essential to reissue, renew, revoke, or delete the certificate accordingly to maintain security best practices. You can do this directly from Key Manager Plus using this Entrust integration if you have a valid privileged Entrust credential.

6.1 Reissue Certificate

Reissuing a certificate in Key Manager Plus generates a new certificate with the same information, such as organization name, domain name, expiry date, etc, with a new key pair, thus preventing unauthorized access and misuse of the compromised key. To reissue a certificate,

1. Navigate to SSL >> Entrust.
2. Select the required certificate and click Reissue Certificate from the top menu.
3. On the page that opens, fill in the necessary information and click Reissue Certificate.
   
4. Upon successful validation, the certificate will be issued and automatically included in the Key Manager Plus certificate repository.

Ensure that the reissued certificate is deployed in the exact location where the previous certificate was in use. This step is crucial for maintaining a secure and consistent connection. Follow the instructions carefully to ensure proper deployment.

6.2 Renew Certificate

To renew a certificate manually from Key Manager Plus, perform the following action:

1. Navigate to SSL >> Entrust.
2. Select the required certificate and click Renew Certificate from the top menu.
3. On the page that opens, fill in the necessary information and click Renew Certificate.
   
4. Upon successful validation, the certificate will be renewed and automatically included in the Key Manager Plus certificate repository.

Ensure that the renewed certificate is deployed in the exact location where the previous certificate was in use. This step is crucial for maintaining a secure and consistent connection. Follow the instructions carefully to ensure proper deployment.

6.3 Revoke Certificate

To revoke a certificate from Key Manager Plus, perform the following action:

1. Navigate to SSL >> Entrust.
2. Select the required certificate and click More >> Revoke Certificate from the top menu.
   
   
3. Upon successful action, the certificate will be revoked. Go to the SSL >> Certificates tab and delete the certificate to remove it from the Key Manager Plus repository.

6.3 Delete Certificate Order

To delete the certificate order from Key Manager Plus, perform the following action:

1. Navigate to SSL >> Entrust.
2. Select the required certificated orders and click More >> Delete from the top menu.
3. Upon execution, the certificate orders will be deleted from Key Manager Plus and the related certificate will remain intact in the SSL tab.