Top

Manage SSL Certificates

 

SSL certificates can be created, discovered, and stored in the centralized repository of Key Manager Plus, and requests can be raised for new certificates or domain addition to an existing certificate. Moreover, you are notified when a certificate is about to expire to help you with their timely renewal.

Use Key Manager Plus to:

  1. Create, discover, or import self-signed or CA issued certificates in the network.
  2. Generate Certificate Signing Request (CSR).
  3. Add requests for new certificates or adding a sub domain to an existing certificate.
  4. Receive notifications when certificates are about to expire.

Self-signed certificates and CSRs can be generated using RSA / DSA / EC key algorithms and SHA signature algorithm as per the details below:

RSA – 1024, 2048, or 4096 bit keys; & SHA-2 (256, 384, or 512 bit) signature

DSA – 512, or 1024 bit keys; & SHA-1 (160 bit) signature

EC – 128, or 256 bit keys; & SHA-2 (256, 384, or 512 bit) signature

 

1. Discover Certificates in your Network

You can automatically discover all the certificates available in your network using Key Manager Plus, irrespective of the CA. You can discover the certificates anytime as needed or periodically based on scheduled tasks. The discovery options are quite flexible - you can discover certificates from a single server or multiple servers, and from multiple ports, at one go.

1.1 Discover SSL Certificates On Demand

To discover the certificates manually:

  1. Go to the Discovery tab in the GUI.
  2. Click the SSL tab.
  3. Select an option for the type of discovery.

Note : The file to be imported must be a text file containing the hostname or IP addresses of individual servers, entered on separate lines. Enter the ports to scan on each server separated by a space, entered on separate lines as illustrated below:

0.0.0.0 6565
test-username-10 443
192.168.20.20 7272

If you do not specify any port, SSL certificates using the default port 443 will be discovered.

  1. For bulk discovery using IP address range and Subnet options, there is an Exclude IP Address field that allows you to exclude specific resources from being discovered. Specify the IP addresses of the resources that need to be excluded one below another.
  2. Specify values for the Time out and the Port options.
  1. Click the Discover button.When you click the Discover button, you will be redirected to the Discovery Status page where the status of the current discovery instance is updated.

Discovery

1.2 Discover SSL Certificates Automatically Through Schedules

SSL Certificate discovery can also be scheduled to occur at periodic intervals.

  1. Click the Schedule tab in the GUI.
  2. Click the Add Schedule button.
  3. In the Add Schedule window, enter a name for the schedule and select the type of schedule as SSL Discovery.
  4. Specify the start and end IP addresses and the port on the end terminal to check for SSL certificates.
  5. Select the recurrence type – hourly, daily, weekly, monthly, or once only. Set the starting time, date, or day corresponding to the option chosen.
  6. Enter the email addresses of the users to be notified. The email settings can be configured from the Settings >> Mail Server Settings tab.
  7. Click the Save button.

You will get a message confirming addition of a new schedule.

The result of the schedule execution will get updated in the Schedule audit and the Discovery audit tabs.

1.3 Discover certificates mapped to user accounts in Active Directory

Key Manager Plus helps you discover and manage the certificates mapped to user accounts in Active Directory.

To perform AD user certificate discovery,

  1. Navigate to Discovery >> AD User Certificate.
  2. Select the required Domain Name, which forms part of the AD from the drop-down.
  3. Specify the DNS name of the domain controller. This domain controller will be the primary domain controller.
  4. In case, the primary domain controller is down, secondary domain controllers can be used. If you have secondary domain controllers, specify their DNS names in comma separated form. One of the available secondary domain controllers will be used. When you use SSL mode, make sure the DNS name specified here matches the CN (common name) specified in the SSL certificate for the domain controller.
  5. Enter a valid user credential (user name and password) of an user account within the particular domain. Then enter the users / user groups / OUs in which you want to perform the certificate discovery and click Import. To perform certificate discovery for groups/OUs as a whole, choose Groups/OU tree Import type and select the required groups from the drop down list.
  6. Key Manager Plus also provides an option to import AD users while performing the certificate discovery. Enable the check box Import AD users to import those AD user accounts into Key Manager Plus for which the certificate discovery is done.
  7. The discovered certificates automatically get added to the certificate repository of Key Manager Plus.

ad-user-cert

1.4 Manage Certificates from MS Certificate Store and Local CA

Key Manager Plus helps you request, acquire, discover, consolidate, track and manage certificates from MS Certificate Store and those issued by Local certificate authority. To begin managing certificates from Microsoft Certificate Store and Local Certificate Authority, start Key Manager Plus service using your domain administrator account. If you use a domain service account to run Key Manager Plus, make sure you have configured the account in your local admin group beforehand.

To import certificates from Microsoft Certificate Store and certificates issued by Local CA,

ms-cert-store

1.5 Discover Certificates from SMTP Servers

You can discover SSL certificates used by mail servers present in your network and consolidate them in Key Manager Plus' centralized certificate repository. To perform mail server certificate discovery,

  1. Navigate to Discovery >> Mail Server Certificate.
  2. Provide the host name or IP address from which the certificate is to be discovered and specify the port number. You can specify multiple port values by separating them with commas.
  3. Click Discover. On successful discovery, the certificates are fetched from the specified resources and added to Key Manager Plus' repository.

1.6 Discover SSL Certificates Deployed to Load Balancers

Key Manager Plus also allows you to discover SSL certificates deployed to load balancers within your network and consolidate them in its secure, centralized repository. Key Manager Plus currently supports certificate discovery from Linux based load balancers only (i.e., Nginx, F5 etc.,) and the process is tunnelled via SSH. To perform load balancer certificate discovery,

  1. Navigate to Discovery >> Load Balancer.
  2. Specify the server name, port number, user name and password.
  3. You can opt for a key based authentication for password-less resources by choosing the Select Key option. Upload the private key associated with the required user account and specify the key passphrase.
  4. Once you have provided the user credentials, specify the path in the server from which certificates have to be discovered.
  5. The Discover certificate list option fetches all the certificates available in the specified path and helps you choose certificates that you wish to discover and import.
  6. After choosing the list, click Discover.
  7. The certificates are successfully discovered and imported into Key Manager Plus' centralized certificate repository. You can view them from the SSL >> Certificates tab.
  8. Certificate files with extensions .keystore and .pfx require their passphrases to be provided in order to be imported into Key Manager Plus.
  9. These types of certificate files are not automatically imported into the certificate repository but are grouped separately under JKS / PKCS section (present in the top-right corner of the window).
  10. To import these certificates, click JKS / PKCS, and in the window that opens, choose the certificate file(s) that you wish to import and click Import from the top menu. In the pop up that opens, provide the file passphrase (s) and click Import.
  11. The chosen certificate files are successfully imported and added to Key Manager Plus' certificate repository.

1.7 Discover SSL certificates using KMP agents

Key Manager Plus provides IT administrators the option to discover SSL certificates deployed across their network through agents. This functionality enables them to download and deploy Key Manager Plus agents to target systems, discover, and import certificates from those systems into a centralized certificate repository directly from the Key Manager Plus web interface. The connection between the Key Manager Plus server and the server(s) in which the agent is deployed is over HTTPS and is completely secure. Currently, Key Manager Plus agents are available only for Windows servers.

Performing certificate discovery through agents is helpful in the following scenarios:

  1. When the administrative credentials of the target server(s)—required to perform the discovery operation—are not available in the Key Manager Plus server.
  2. When certificates have to be discovered from servers that Key Manager Plus doesn't have direct access to—for instance, servers in demilitarized zone (DMZ). In such cases, the agent is usually installed in an intermediate jump server that has the permission to access the remote servers and pass on the required information to the Key Manager Plus server.

1.7.1 Downloading the Key Manager Plus agent

The agent used to perform certificate management operations on remote machines is dynamically created by the Key Manager Plus server. To download Key Manager Plus agent,

  1. Navigate to Discovery >> Agents >> Download Windows Agent.
  2. From the pop up that opens, download the agent based on your server configuration. Also, copy and save the Install Key in a secure location.

1.7.2 Agent Installation

Once you have downloaded the agent from Key Manager Plus' web interface, follow the instructions below to install it in the target servers. The downloaded package already contains the necessary configurations needed to perform the required operations. Just make sure the account in the server in which the agent is installed has sufficient privileges to perform certificate discovery.

To install Key Manager Plus agent as a Windows service,

  1. Move the zip file downloaded from Key Manager Plus server to the target server.
  2. Unzip its contents and place the file in an unshared folder.
  3. Then, open the command prompt, navigate to the agent installation directory and type the following command: AgentInstaller.exe install <Install Key> by supplying the Install Key stored in the secure location.
  4. The Install Key is revoked after being used for a single installation. If you want to perform another installation of the agent, you need to regenerate the Install Key from the Key Manager Plus server and supply it in the agent server.

To start the agent as a Windows service,

  1. Open the command prompt and navigate to the Key Manager Plus agent installation directory.
  2. Then execute the following command: AgentInstaller.exe start
  3. On successful installation, you can find the Key Manager Plus agent running as a service in the target server.

To stop the agent,

  1. Open the command prompt and navigate to the Key Manager Plus agent installation directory.
  2. Then execute the following command: AgentInstaller.exe stop.

To perform SSL certificate discovery through Key Manager Plus agent,

  1. Navigate to Discovery >> Agents.
  2. Choose the type of discovery you want to perform—domain based, Certificate Store or certificates issued by Microsoft Certificate Authority.
  3. Select the required agent from the drop down to perform the operation.
  4. If the agent is busy, wait and try again after sometime.
  5. For Microsoft CA discovery, you can choose to exclude expired / revoked certificates or perform discovery based on issue date or certificate template using the filters provided.
  6. Click Discover. The certificates are discovered from the servers in which the agent is installed and imported into Key Manager Plus' certificate repository.

1.7.3 Managing Agents

Key Manager Plus provides administrators insights about agent activity and allows management of agents installed on various target resources. To manage Key Manager Plus agents,

  1. Navigate to Discovery >> Agents and click Manage.
  2. In the window that opens, you will be able to see a list of Key Manager Plus agents installed on remote resources along with insights such as IP address, username, time of installation, heartbeat interval, last response time, and last operation performed.
  3. If you want to delete an agent, you can do so by choosing the agent and clicking Delete from the top menu.

1.8 Discover SSL Certificates Hosted on AWS (ACM & IAM)

Key Manager Plus enables you to discover, import, and configure expiry notifications for SSL certificates hosted in the following Amazon Web Services: AWS Certificate Manager (ACM) and AWS Identity and Access Management (IAM).

Follow the steps below to discover and import SSL certificates from ACM / IAM into Key Manager Plus.

Step 1: Configure AWS credentials in Key Manager Plus

  1. To add your AWS credentials in Key Manager Plus, navigate to Discovery >> AWS and click the Manage AWS Credential option. 
  2.  
  3. Click Add. 
  4. In the Create AWS Credentials window that opens, provide the credential name, access key, and secret key. 
  5. Use the Test Login option and check if the login is successful. You will be notified if the login is successful
  6. Then click Save. The credentials are successfully saved in Key Manager Plus.

Step 2: Discovery and Import

  1. Switch to Discovery >> AWS tab.
  2. Choose the appropriate AWS credentials from among the ones configured in Key Manager Plus or provide your Access Key and Secret Key.
  3. Choose the required AWS service from which certificates need to be imported: ACM or IAM.
  4. To import certificates from ACM, select ACM under AWS service and choose the service region. 
  5. Click Discover.
  6. Certificates are discovered from resources in the selected region and imported into Key Manager Plus.
  7. To import certificates from IAM, specify the required AWS usernames or use the List AWS username option to retrieve the usernames. Choose the required usernames and click Discover.
  8. You can also choose to import server certificates for the corresponding AWS users by checking the Include Server Certificate option.
  9. User certificates are imported into Key Manager Plus.

1.8.1 The Centralized Certificate Repository

All the discovered SSL certificates, those that are discovered manually as well as those discovered through scheduled discovery operations are automatically added to the centralized repository of Key Manager Plus. You can view these certificates from the SSL >> Certificates tab in the user interface.

1.8.2 Export Private Key / Keystore File

Key Manager Plus allows you to identify and export the private keys / keystore files of SSL certificates stored in the certificate repository, provided you're managing their private keys / keystore files using Key Manager Plus. You can see the Keystore icon ( keystore ) enabled beside the certificates for which the private keys are managed using Key Manager Plus. To export the private key / keystore file,

  1. Navigate to SSL >> Certificates.
  2. Click the Keystore icon ( keystore ) beside the certificate for which you need to export the private key
  3. From the dropdown, choose Keystore / PFX or Private key as per your requirement.
  4. The keystore file / private key of the corresponding certificate is downloaded

1.8.3 Track and Manage Various Certificate Versions

Sometimes, there occurs situations where you have to use different certificates on different end-servers for the same domain. Under such circumstances, it is necessary for you to track the usage and expiry of all these certificates individually even though they represent a common domain. Monitoring various such certificate versions manually is daunting and error-prone. Key Manager Plus helps you simultaneously track and manage the usage and expiry of various certificate versions from a single window.

To track certificate versions,

  1. Navigate to SSL >> Certificates tab.
  2. Click the certificate history icon (cert-history-icon) present in the right corner of the table view, corresponding to the required certificate.
  3. In the certificate history window that opens, choose the certificate version you wish to manage and click the certificate settings icon. Click manage certificate.
  4. The particular certificate version is set for managing and Key Manager Plus starts tracking the usage and expiry individually for that version. 
  5. Repeat the same procedure for all the certificate versions that you wish to manage.

Track-and-manage

1.8.4 Update Servers with Latest Certificate Versions

In case of wildcard certificates or single SSL certificate deployed to multiple servers, it is necessary to keep track of servers in which the certificate is deployed and also check if the latest certificate version is in use. Key Manager Plus helps you ensure this.

  1. Navigate to SSL >> Certificates tab.
  2. Click the Certificate History icon ( cert-history-icon ) corresponding to the required certificate
  3. A window opens listing the various versions of the certificate. Ensure that the latest version of the certificate is set as the main certificate. If not, click the ( ) icon beside the required version to set that version of certificate as main certificate in the Key Manager Plus repository.
  4. Then again, navigate to SSL >> Certificates tab and click multiple servers icon ( multiple-server ) corresponding to the required certificate.
  5. A window opens listing the servers in which the certificate is deployed along with other information such as IP address, port and certificate validity.
  6. If any of the servers listed has an older / expired version of the certificate, update it with the latest version immediately. Select the server and then click Deploy. Refer to the detailed deployment procedure here.

multiple-servers

Also, you can edit details pertaining to a particular certificate or delete irrelevant certificates by selecting the certificate and clicking the More dropdown.

 

2. Create Self-signed Certificates

Key Manager Plus allows administrators to create their own self-signed certificates using Java keytool. These certificates are automatically imported into the Key Manager Plus repository on successful creation.

To create a self-signed certificate using Key manager plus:

  1. Navigate to the SSL >> Certificate tab in the GUI.
  2. Click the Create button.
  3. Enter the details of the organization and certificate validity, and select the key algorithm and length, signature algorithm, and enter a keystore password in the Create certificate tab.
  4. Choose the Validity Type as Days and specify the number of days for which the certificate will be valid.
  5. To create an ephemeral certificate with limited validity period, choose the Validity Type as Hours or Minutes and provide the validity period. The certificate will expire after the specified time (this option is applicable from build 5850 onwards).
  6. Click the Create button. You will be redirected to the certificate window where the certificate content is displayed.
  7. You can copy the certificate content, or export the certificate to required email or system.
    1. Email – Select this check box to send the certificate file via email to the specified mail id.
    2. Export – Select this check box to export the file to your system.
  8. Both the options take effect once you click the Save button.
  9. You can denominate the certificate to be generated as a root certificate by enabling the Generate root certificate check-box. 
  10. Click the Save button to save the certificate in the Key Manager Plus repository, and export the certificate file, if opted in earlier step.

 

3. Generate CSRs

To generate a CSR using Java keytool from Key Manager Plus:

Besides generating CSRs from Key Manager Plus, you can also upload CSRs generated from outside the application and track their statuses from Key Manager Plus using the Import option in the top menu.

Generate CSR

4. Certificate Signing

Key Manager Plus provides the option to sign and issue certificates to all clients in your network either from your Microsoft Certificate Authority or using a custom root CA certificate that is trusted within your environment.

4.1 Microsoft CA certificate signing

To request and acquire certificates from Local CA from Key Manager Plus, you have to initially generate a certificate signing request, then get it signed from the local certificate authority using the steps mentioned below. 

  1. Navigate to SSL >> CSR  tab. Click Create.
  2. In the Create Csr window that opens, fill in the domain details, organization details, choose the key algorithm, key size, signature algorithm, keystore type and specify the validity (days) and keystore password. Click Create. If you want to generate a CSR from an already existing key, choose 'Create CSR from keystore' option and specify the key location, password and click Create. 
  3. The CSR is generated and you can view it from SSL >> CSR tab.

You can get the CSR signed from Microsoft Certificate Authority from Key Manager Plus.

  1. Navigate to SSL >> CSR tab, select the required CSR and click Sign from the top menu. 
  2. In the pop-up that opens, provide the name of the server that runs the internal certificate authority, CA name and choose the certificate template based on your requirement. Click Sign Certificate.
  3. The CSR is signed and the issued certificate can be viewed from SSL >> Certificates tab.

Certificates issued by Local CA can be renewed automatically from Key Manager Plus. To enable auto-renewal of Local CA certificates,

  1. Navigate to Settings >> SSL >> Microsoft CA Auto Renewal.
  2. Enable MS CA auto renewal task and specify the recurring time. Certificates that have already expired and certificates due expiry in 10 days or less, are automatically renewed and updated in the certificate repository.

ssl-ms-ca-cert-signing

Note :

  1. Start Key Manager Plus using your domain administrator account to begin management of certificates from Microsoft Certificate Store and those issued by your Local CA. If you use a domain service account to run Key Manager Plus, make sure that you have configured it in your local admin group beforehand.
  2. During MS Certificate Store discovery, Get Stores option will list all stores available in the local host if the Server Name field is left empty.
  3. For MS CA auto-renewal to take effect, the certificate(s) need to be of type Microsoft CA. For manually added certificates, the certificate type needs to be changed to Microsoft CA using Edit option from More top menu.

4.2 Sign Certificates with Custom Root CA

Key Manager Plus provides the option to sign and issue certificates to all clients in your network either from your Microsoft Certificate Authority or using a custom root CA certificate that is trusted within your environment.

  1. Create a custom root CA
  2. Sign certificates with the custom root CA
  3. Deploy the signed certificates to target systems

4.2.1 Create a Custom Root CA

To sign locally generated certificate requests with the root CA certificate, you have to initially create a custom root CA.

  1. Navigate to SSL >> Certificates tab.
  2. Select a certificate and click Mark as Root from the More top menu.
  3. The chosen certificate is successfully denominated as a root CA certificate and is listed under the Root Certificate tab. You can then use this certificate to sign locally generated certificate requests.

Note :

You can also generate new root CA certificates from Key Manager Plus by enabling Generate root certificate check-box while creating a certificate from SSL >> Certificates >> Create option.

4.2.2 Sign Certificates with the Custom Root CA

To sign certificates with the custom root CA, generate a certificate signing request (CSR) and then sign it using the root certificate.

  1. Navigate to SSL >> CSR tab.
  2. Click Create.
  3. In the window that opens, enter all the required details and click Create.
  4. The CSR is created and is listed under the CSR tab.
  5. Select the CSR and click Sign from the top menu.
  6. Select the Sign Type as Sign with Root, select the root certificate and specify the validity in days. Click Sign.
  7. The certificate is signed based on the selected root certificate and is listed under SSL >> Certificates tab.

Also, you can use the root CA certificate to simultaneously generate and sign certificates to user groups in bulk directly from Key Manager Plus.

  1. Navigate to SSL and click Root Certificate on top right corner of the window.
  2. Select the required root CA certificate and click Sign. In the pop-up that opens, choose the sign type, user / user groups to which certificates have to be created and deployed, mention the SAN and validity (in days).
  3. The sign type User Management allows you to generate and sign certificates for user accounts in Key Manager Plus.
  1. The sign type Active Directory Users allows you to generate and sign certificates to user accounts mapped to the Active Directory within your network environment.

4.2.3 Deploy the Signed Certificate to Target Systems

5. Import Certificates

To import the certificates in your network:

6. Delete Certificates

7. Certificate Requests

7.1 Add Certificate Request

To add requests for new certificates or addition of sub-domains to existing certificates, in Key Manager Plus:

7.2 Certificate Request Status

7.3 Close Certificate Request

8. Control Expiry Notification Schedule

9. Track Domain Expiration through WHOIS Lookup

10. SSL Certificate Group

10.1 Create Certificate Groups

10.2 Edit Certificate Groups

10.3 Delete Certificate Groups