Top

Manage SSL Certificates

 

SSL certificates can be created, discovered, and stored in the centralized repository of Key Manager Plus, and requests can be raised for new certificates or domain addition to an existing certificate. Moreover, you are notified when a certificate is about to expire to help you with their timely renewal.

Use Key Manager Plus to:

  1. Create, discover, or import self-signed or CA issued certificates in the network.
  2. Generate Certificate Signing Request (CSR).
  3. Add requests for new certificates or adding a sub domain to an existing certificate.
  4. Receive notifications when certificates are about to expire.

Self-signed certificates and CSRs can be generated using RSA / DSA / EC key algorithms and SHA signature algorithm as per the details below:

RSA – 1024, 2048, or 4096 bit keys; & SHA-2 (256, 384, or 512 bit) signature

DSA – 512, or 1024 bit keys; & SHA-1 (160 bit) signature

EC – 128, or 256 bit keys; & SHA-2 (256, 384, or 512 bit) signature

 

1.Discover certificates in your network

You can automatically discover all the certificates available in your network using Key Manager Plus, irrespective of the CA. You can discover the certificates anytime as needed or periodically based on scheduled tasks. The discovery options are quite flexible - you can discover certificates from a single server or multiple servers, and from multiple ports, at one go.

Discover SSL Certificates On Demand

To discover the certificates manually:

Note : The file to be imported must be a text file containing the hostname or IP addresses of individual servers, entered on separate lines. Enter the ports to scan on each server separated by a space, entered on separate lines as illustrated below:

0.0.0.0 6565
test-username-10 443
192.168.20.20 7272

If you do not specify any port, SSL certificates using the default port 443 will be discovered.

Click the Discover button.When you click the Discover button, you will be redirected to the Discovery Status page where the status of the current discovery instance is updated.

Discovery

Discover SSL Certificates Automatically Through Schedules

SSL Certificate discovery can also be scheduled to occur at periodic intervals.

You will get a message confirming addition of a new schedule.

The result of the schedule execution will get updated in the Schedule audit and the Discovery audit tabs.

Discover certificates mapped to user accounts in Active Directory

Key Manager Plus helps you discover and manage the certificates mapped to user accounts in Active Directory.

To perform AD user certificate discovery,

ad-user-cert

Manage certificates from MS certificate store and Local CA

Key Manager Plus helps you request, acquire, discover, consolidate, track and manage certificates from MS Certificate Store and those issued by Local certificate authority. To begin managing certificates from Microsoft Certificate Store and Local Certificate Authority, start Key Manager Plus service using your domain administrator account. If you use a domain service account to run Key Manager Plus, make sure you have configured the account in your local admin group beforehand.

To import certificates from Microsoft Certificate Store and certificates issued by Local CA,

ms-cert-store

The centralized certificate repository

All the discovered SSL certificates, those that are discovered manually as well as those discovered through scheduled discovery operations are automatically added to the centralized repository of Key Manager Plus. You can view these certificates from the SSL → Certificates tab in the user interface.

Export private key / keystore file

Key Manager Plus allows you to identify and export the private keys / keystore files of SSL certificates stored in the certificate repository, provided you're managing their private keys / keystore files using Key Manager Plus. You can see the Keystore icon ( keystore ) enabled beside the certificates for which the private keys are managed using Key Manager Plus. To export the private key / keystore file,

Track and manage various certificate versions

Sometimes, there occurs situations where you have to use different certificates on different end-servers for the same domain. Under such circumstances, it is necessary for you to track the usage and expiry of all these certificates individually even though they represent a common domain. Monitoring various such certificate versions manually is daunting and error-prone. Key Manager Plus helps you simultaneously track and manage the usage and expiry of various certificate versions from a single window.

To track certificate versions,

Track-and-manage

Update servers with latest certificate versions

In case of wildcard certificates or single SSL certificate deployed to multiple servers, it is necessary to keep track of servers in which the certificate is deployed and also check if the latest certificate version is in use. Key Manager Plus helps you ensure this.

multiple-servers

Also, you can edit details pertaining to a particular certificate or delete irrelevant certificates by selecting the certificate and clicking the More dropdown.

 

2.Create Self-signed certificates

Key Manager Plus allows administrators to create their own self-signed certificates using Java keytool. These certificates are automatically imported into the Key Manager Plus repository on successful creation.

To create a self-signed certificate using Key manager plus:

 

3.Generate CSRs

To generate a CSR using Java keytool from Key Manager Plus:

Generate CSR

4.Certificate Signing

Key Manager Plus provides the option to sign and issue certificates to all clients in your network either from your Microsoft Certificate Authority or using a custom root CA certificate that is trusted within your environment.

Microsoft CA certificate signing

To request and acquire certificates from Local CA from Key Manager Plus, you have to initially generate a certificate signing request, then get it signed from the local certificate authority using the steps mentioned below. 

You can get the CSR signed from Microsoft Certificate Authority from Key Manager Plus.

Certificates issued by Local CA can be renewed automatically from Key Manager Plus. To enable auto-renewal of Local CA certificates,

ssl-ms-ca-cert-signing

Note :

  1. Start Key Manager Plus using your domain administrator account to begin management of certificates from Microsoft Certificate Store and those issued by your Local CA. If you use a domain service account to run Key Manager Plus, make sure that you have configured it in your local admin group beforehand.
  2. During MS Certificate Store discovery, Get Stores option will list all stores available in the local host if the Server Name field is left empty.
  3. For MS CA auto-renewal to take effect, the certificate(s) need to be of type Microsoft CA. For manually added certificates, the certificate type needs to be changed to Microsoft CA using Edit option from More top menu.

Sign certificates with custom root CA

Key Manager Plus provides the option to sign and issue certificates to all clients in your network either from your Microsoft Certificate Authority or using a custom root CA certificate that is trusted within your environment.

1.Create a custom root CA

To sign locally generated certificate requests with the root CA certificate, you have to initially create a custom root CA.

Note :

You can also generate new root CA certificates from Key Manager Plus by enabling Generate root certificate check-box while creating a certificate from SSL → Certificates → Create option.

2.Sign certificates with the custom root CA

To sign certificates with the custom root CA, generate a certificate signing request (CSR) and then sign it using the root certificate.

Also, you can use the root CA certificate to simultaneously generate and sign certificates to user groups in bulk directly from Key Manager Plus.