Top

End-to-end certificate life-cycle management

Maintaining a threat-free network requires much more than just securing your domains with SSL certificates. For organizations that deal with a large SSL environment, the process of purchasing, deploying and renewing SSL certificates often proves to be cumbersome, time-consuming and has hardly been straightforward. Oversight, manual errors, improper configuration, weak ciphers, and expiration often lead to downtimes, compliance issues and security breaches. Certificate life-cycle management is a practice that streamlines certificate management process by automating acquisition, issue, deployment, re-issue, renewal and revoking of certificates. Key Manager Plus facilitates end-to-end certificate life-cycle management for your public facing websites by integrating with the renowned open Certificate Authority, Let's Encrypt. This means you can procure domain validated certificates from Let's Encrypt for your public domains, deploy, track, request alerts on expiry, renew certificates; everything done entirely from the product interface.

You can request, procure, deploy, monitor, track and renew certificates from Let's Encrypt CA directly from Key Manager Plus interface.

Before you proceed with the integration, complete the following step as a prerequisite:

Prerequisite

Add the following base URL and port as an exception in your firewall or proxy to ensure Key Manager Plus is able to connect to Let's Encrypt's CA Services.
URL: https://acme-v02.api.letsencrypt.org/acme/ 
Port: 443

Follow the step-by-step procedure below to integrate Let's Encrypt with Key Manager Plus:

  

Step 1: Create a Let's Encrypt account

The first step in requesting for certificates from Let's Encrypt CA is creating an account with Let's Encrypt. This is a one-time process and can be done from Key Manager Plus interface itself.

To create Let's Encrypt account,

Note: This privilege is available for only the administrator users and only one Let's Encrypt account can be created from Key Manager Plus.

 

Step 2: Raise a certificate request

After creating an account with Let's Encrypt, you have to generate a certificate request. You are then presented with a challenge which you have to fulfill in order for Let's Encrypt to validate your domain and issue the certificate.

Note: Key Manager Plus supports wildcard certificate requests for DNS based challenges. For wildcard certificate requests, enter the common name in the format *.domainname.com

To configure your DNS account,

For Azure DNS,

For Cloudflare DNS

For AWS Route 53 DNS,

  1. Generate and specify the Access Key ID and Secret associated with your AWS account.
  2. If you do not have an AWS account, create one and generate the Access Key ID and Secret by following the steps given below:
    • Login to the AWS console and navigate to IAM Services → Users.
    • Click Add user.
    • Provide the user name and select the access type as Programmatic access.
    • Switch to the next tab, click Attach existing policies directly under Set Permissions and search for "AmazonRoute53FullAccess".
    • Assign the policy that is listed and switch to the next tab.
    • In the tags section, add appropriate tags (optional) and switch to the next tab.
    • Review all the information entered and click Create user.
    • The user account is created and subsequently, an access key ID and a secret is generated. Copy and save the key ID and secret in a secure location for it will not be displayed again.
  3. If you already have an AWS user account, you have to grant "AmazonRoute53FullAccess" permission to the user and generate the access key if the user doesn't have one. And if the user account has an access key associated already, it is just enough to ensure the required permission is granted.

To grant the required permissions,

  1. Navigate to the Permissions tab, select the required user account and click Add Permission.
  2. Click Attach existing policies directly under Set Permissions and search for "AmazonRoute53FullAccess".
  3. Assign the listed policy and hit Save.
  4. To generate the access key,
    • Select the particular user account and navigate to the Security Credentials tab.
    • In the window that opens, click Create access key.
    • An access key ID and a secret is generated. Copy and save the key ID and secret in a secure location for it will not be displayed again.

RFC2136 DNS Update

If you are using open source DNS servers such as Bind, PowerDNS etc., that support RFC2136 DNS update, follow the steps below to automate DNS-based domain control validation procedure using Key Manager Plus. 

Note :

  • One certificate can secure up to 100 domains. You can enter a maximum of 100 names in the 'domain name' field out of which the first name is considered as the common name and the rest are treated as Subject Alternative Names (SAN).
  • Key Manager plus supports http-01 and dns-01 based domain validations. Choose the challenge type based on your requirements.
  • For dns-01 based domain validation, if you are using your configured DNS account for challenge verification, make sure that the status of the chosen DNS account is marked Enabled under Manage → DNS.
  • Option to change the private key currently works only with the RSA key algorithm.

Step 3: Let's Encrypt challenge verification

Key Manager Plus expedites domain validation through automatic verification of HTTP-01 and DNS-01 challenges (currently Azure, Cloudflare, Amazon Route 53, and RFC2136 DNS update). For the automation to take effect, you have to initially map the end-server details to Key Manager Plus, which is a one-time process.

1.Domain validation through HTTP-01 challenge verification

For domain validation through http-01 challenge

Downloading Key Manager Plus agent for Windows servers:

The Key Manager Plus agent package is a zip file comprising of the necessary executables, configuration files required for automatic verification of Let's Encrypt challenges through automatic domain validation. You have to just unzip and install the agent on your Windows domain server after download. To download the agent,

Installing Key Manager Plus agents for Windows server:

To install Key Manager Plus agent as a Windows service

To stop the agent and uninstall the Windows service

2. Domain validation through DNS-01 challenge verification

For DNS-01 challenge verification from Key Manager Plus,

Agent Mapping

In the Deploy window that opens, carry out the following operations to map and save your end-server details in Key Manager Plus.

Note:

  • You can request and acquire certificates only for public domains using Let's Encrypt integration.
  • The handling of challenges can also be done manually without automation. Copy and paste the challenge values / text records manually in your domain server. Then in the Key Manager Plus server, navigate to Pending Requests page and click Verify. The challenge is verified and certificate is issued.
  • Key Manager Plus automates challenge verification using DNS for a certificate request only when Agent mapping is not available. Challenge verification is automated through agents, if agent details are available in Manage → Deploy tab.
  • Currently, Key Manager Plus agents are only available for Windows servers.
  • For RFC2136 DNS update, if you have opted Global DNS configuration, the domain name itself acts as the zone name (Global DNS configuration is possible only if you are using the same Key Secret for all zones). Whereas, if you have opted domain-agent mapping, you have to provide the Zone name, Key Name, and Key Secret for each domain separately. 
 

Step 4: Procure and save the certificate

 

Step 5: Renew certificates

Certificates issued by Let's Encrypt have a life-time of ninety days after which they are not valid. Also, as mentioned above, the domain authentication validity period is sixty days, which means that the user has to fulfill the challenges once in every sixty days in order to prove his ownership of the domain.

Certificate renewals can be carried out manually or automatically through automatic domain validation. To renew a certificate manually,

Note: The certificate should be saved after renewal in order to be updated in the certificate repository. Else, only the old version of the certificate will continue to remain in repository.

 

Automatic renewals through automatic domain validation

If agent mapping had been configured, the certificate renewal process is done automatically without manual intervention. All the certificates in your organization procured from Let's Encrypt is automatically renewed after every 75 days. i.e., 15 days before its expiry and a notification is sent to the account holder's e-mail address.

Note: Automatic renewals are applicable only for those certificates saved in Key Manager Plus repository. i.e., after procuring a certificate from Let's Encrypt, you have to save it in order for the automatic renewal to take effect.

 

Step 6: Revoking certificates

Revoking a certificate renders the certificate invalid and immediately removes the HTTPS from the website.

To revoke a certificate,

 

Step 7: Deleting certificates

Deleting a certificate removes the certificate from Key Manager Plus repository, but the certificate still remains valid.

To delete a certificate,

 

About Let's Encrypt

Let's Encrypt is a free, automated and open Certificate Authority developed by the Internet Security Research group (ISRG) with a main motive to reduce the complexity involved in establishing HTTPS connection and smoothen the overall certificate installation process. Till date, Let's Encrypt issues only domain validated certificates. Organization validation and extended validation are not available and are not being planned to be distributed anytime in the near future. All certificates issued by Let's Encrypt have a life time of ninety days after which they are not valid. Also, the domain authentication validity for a certificate is sixty days. i.e., for every domain you secure, you'll have to fulfill the challenges once in sixty days in order to prove your ownership of the domain. The main purpose of domain validation is to ensure security and Let's Encrypt is planning to reduce this domain authentication validity period to seven days.For more information about Let's Encrypt, click here