Top

Manage SSL Certificates

 

SSL certificates can be created, discovered, and stored in the centralized repository of Key Manager Plus, and requests can be raised for new certificates or domain addition to an existing certificate. Moreover, you are notified when a certificate is about to expire to help you with their timely renewal.

Use Key Manager Plus to:

  1. Create, discover, or import self-signed or CA issued certificates in the network.
  2. Generate Certificate Signing Request (CSR).
  3. Add requests for new certificates or adding a sub domain to an existing certificate.
  4. Receive notifications when certificates are about to expire.

Self-signed certificates and CSRs can be generated using RSA / DSA / EC key algorithms and SHA signature algorithm as per the details below:

RSA – 1024, 2048, or 4096 bit keys; & SHA-2 (256, 384, or 512 bit) signature

DSA – 512, or 1024 bit keys; & SHA-1 (160 bit) signature

EC – 128, or 256 bit keys; & SHA-2 (256, 384, or 512 bit) signature

 

1.Discover certificates in your network

You can automatically discover all the certificates available in your network using Key Manager Plus, irrespective of the CA. You can discover the certificates anytime as needed or periodically based on scheduled tasks. The discovery options are quite flexible - you can discover certificates from a single server or multiple servers, and from multiple ports, at one go.

Discover SSL Certificates On Demand

To discover the certificates manually:

Note : The file to be imported must be a text file containing the hostname or IP addresses of individual servers, entered on separate lines. Enter the ports to scan on each server separated by a space, entered on separate lines as illustrated below:

0.0.0.0 6565
test-username-10 443
192.168.20.20 7272

If you do not specify any port, SSL certificates using the default port 443 will be discovered.

Click the Discover button.When you click the Discover button, you will be redirected to the Discovery Status page where the status of the current discovery instance is updated.

Discovery

Discover SSL Certificates Automatically Through Schedules

SSL Certificate discovery can also be scheduled to occur at periodic intervals.

You will get a message confirming addition of a new schedule.

The result of the schedule execution will get updated in the Schedule audit and the Discovery audit tabs.

Discover certificates mapped to user accounts in Active Directory

Key Manager Plus helps you discover and manage the certificates mapped to user accounts in Active Directory.

To perform AD user certificate discovery,

ad-user-cert

Discover certificates from Microsoft Certificate Store

Key Manager Plus helps you discover and import certificates from Microsoft Certificate Store. To import certificates from Microsoft Certificate Store,

Note : During Windows Certificate Store discovery, if the target server name is not specified, choosing Get Stores option will list down all the certificate stores available in the local host.

ms-cert-store

The centralized certificate repository

All the discovered SSL certificates, those that are discovered manually as well as those discovered through scheduled discovery operations are automatically added to the centralized repository of Key Manager Plus. You can view these certificates from the SSL → Certificates tab in the user interface.

ssl-certificate-repository

Export private key / keystore file

Key Manager Plus allows you to identify and export the private keys / keystore files of SSL certificates stored in the certificate repository, provided you're managing their private keys / keystore files using Key Manager Plus. You can see the Keystore icon ( keystore ) enabled beside the certificates for which the private keys are managed using Key Manager Plus. To export the private key / keystore file,

Update servers with latest certificate versions

In case of wildcard certificates or single SSL certificate deployed to multiple servers, it is necessary to keep track of servers in which the certificate is deployed and also check if the latest certificate version is in use. Key Manager Plus helps you ensure this.

multiple-servers

Also, you can edit details pertaining to a particular certificate or delete irrelevant certificates by selecting the certificate and clicking the More dropdown.

 

2.Create Self-signed certificates

Key Manager Plus allows administrators to create their own self-signed certificates using Java keytool. These certificates are automatically imported into the Key Manager Plus repository on successful creation.

To create a self-signed certificate using Key manager plus:

Self-signed cert

 

3.Generate CSRs

To generate a CSR using Java keytool from Key Manager Plus:

Generate CSR

 

4.Import Certificates

To import the certificates in your network:

 

5. Delete certificates

You can delete the certificates that are currently not in use. To delete a certificate from Key Manager Plus repository:

 

6. Certificate Requests

The certificate request workflow is as follows:

Add Certificate Request

To add requests for new certificates or addition of sub-domains to existing certificates, in Key Manager Plus:

Add request

Certificate request status

A certificate request is in either of the following statuses.

When a certificate request is raised, it is automatically elevated to the Open state. The request details can be viewed from the SSL → Certificate request tab, on clicking the domain name of the request.

Close Certificate Request

To terminate the certificate request life-cycle:

Close request

 

7. Control expiry notification schedule

You can customize the periodicity of notifications you receive when a certificate is about to expire. To customize the notifications:

Note : You will receive notifications every day after the selected date before the expiry of a certificate. For instance, if a certificate is about to expire in the last week of a month, and you select the Notify if SSL certificates are expiring within 7 days option, then, you will receive a notification that your certificate is about to expire every day of the week before the expiry of the certificate.