Top

Manage SSL Certificates

 

SSL certificates can be created, discovered, and stored in the centralized repository of Key Manager Plus, and requests can be raised for new certificates or domain addition to an existing certificate. Moreover, you are notified when a certificate is about to expire to help you with their timely renewal.

Use Key Manager Plus to:

  1. Create, discover, or import self-signed or CA issued certificates in the network.
  2. Generate Certificate Signing Request (CSR).
  3. Add requests for new certificates or adding a sub domain to an existing certificate.
  4. Receive notifications when certificates are about to expire.

Self-signed certificates and CSRs can be generated using RSA / DSA / EC key algorithms and SHA signature algorithm as per the details below:

RSA – 1024, 2048, or 4096 bit keys; & SHA-2 (256, 384, or 512 bit) signature

DSA – 512, or 1024 bit keys; & SHA-1 (160 bit) signature

EC – 128, or 256 bit keys; & SHA-2 (256, 384, or 512 bit) signature

 

1.Discover certificates in your network

You can automatically discover all the certificates available in your network using Key Manager Plus, irrespective of the CA. You can discover the certificates anytime as needed or periodically based on scheduled tasks. The discovery options are quite flexible - you can discover certificates from a single server or multiple servers, and from multiple ports, at one go.

Discover SSL Certificates On Demand

To discover the certificates manually:

Note : The file to be imported must be a text file containing the hostname or IP addresses of individual servers, entered on separate lines. Enter the ports to scan on each server separated by a space, entered on separate lines as illustrated below:

0.0.0.0 6565
test-username-10 443
192.168.20.20 7272

If you do not specify any port, SSL certificates using the default port 443 will be discovered.

Click the Discover button.When you click the Discover button, you will be redirected to the Discovery Status page where the status of the current discovery instance is updated.

Discovery

Discover SSL Certificates Automatically Through Schedules

SSL Certificate discovery can also be scheduled to occur at periodic intervals.

You will get a message confirming addition of a new schedule.

The result of the schedule execution will get updated in the Schedule audit and the Discovery audit tabs.

Discover certificates mapped to user accounts in Active Directory

Key Manager Plus helps you discover and manage the certificates mapped to user accounts in Active Directory.

To perform AD user certificate discovery,

ad-user-cert

Manage certificates from MS certificate store and Local CA

Key Manager Plus helps you request, acquire, discover, consolidate, track and manage certificates from MS Certificate Store and those issued by Local certificate authority. Before importing / acquiring certificates from MS Certificate Store and Local CA, ensure that you use your domain administrator account as Key Manager Plus' service logon account.  

To import certificates from Microsoft Certificate Store and certificates issued by Local CA,

Note : During Windows Certificate Store discovery, if the target server name is not specified, choosing Get Stores option will list down all the certificate stores available in the local host.

ms-cert-store

To request and acquire certificates from Local CA from Key Manager Plus, you have to initially generate a certificate signing request, then get it signed from the local certificate authority using the steps mentioned below. 

You can get the CSR signed from Microsoft Certificate Authority from Key Manager Plus.

Certificates issued by Local CA can be renewed automatically from Key Manager Plus. To enable auto-renewal of Local CA certificates,

Note :

  1. For auto-renewal to take effect, the certificate(s) should be of type Microsoft CA. This is assigned by default for those certificates that are imported / acquired using Key Manager Plus. But for manual additions, you have to manually change the certificate type to Microsoft CA using the edit option under More top-menu, for the auto-renewal to take effect.
  2. Before generating and signing your CSR, ensure that you use your domain administrator account as Key Manager Plus' service logon account.

The centralized certificate repository

All the discovered SSL certificates, those that are discovered manually as well as those discovered through scheduled discovery operations are automatically added to the centralized repository of Key Manager Plus. You can view these certificates from the SSL → Certificates tab in the user interface.

ssl-certificate-repository

Export private key / keystore file

Key Manager Plus allows you to identify and export the private keys / keystore files of SSL certificates stored in the certificate repository, provided you're managing their private keys / keystore files using Key Manager Plus. You can see the Keystore icon ( keystore ) enabled beside the certificates for which the private keys are managed using Key Manager Plus. To export the private key / keystore file,

Track and manage various certificate versions

Sometimes, there occurs situations where you have to use different certificates on different end-servers for the same domain. Under such circumstances, it is necessary for you to track the usage and expiry of all these certificates individually even though they represent a common domain. Monitoring various such certificate versions manually is daunting and error-prone. Key Manager Plus helps you simultaneously track and manage the usage and expiry of various certificate versions from a single window.

To track certificate versions,

Track-and-manage

Update servers with latest certificate versions

In case of wildcard certificates or single SSL certificate deployed to multiple servers, it is necessary to keep track of servers in which the certificate is deployed and also check if the latest certificate version is in use. Key Manager Plus helps you ensure this.

multiple-servers

Also, you can edit details pertaining to a particular certificate or delete irrelevant certificates by selecting the certificate and clicking the More dropdown.

 

2.Create Self-signed certificates

Key Manager Plus allows administrators to create their own self-signed certificates using Java keytool. These certificates are automatically imported into the Key Manager Plus repository on successful creation.

To create a self-signed certificate using Key manager plus:

Self-signed cert

 

3.Generate CSRs

To generate a CSR using Java keytool from Key Manager Plus:

Generate CSR

 

4.Import Certificates

To import the certificates in your network:

 

5. Delete certificates

You can delete the certificates that are currently not in use. To delete a certificate from Key Manager Plus repository:

 

6. Certificate Requests

The certificate request workflow is as follows:

Add Certificate Request

To add requests for new certificates or addition of sub-domains to existing certificates, in Key Manager Plus:

Add request

Certificate request status

A certificate request is in either of the following statuses.

When a certificate request is raised, it is automatically elevated to the Open state. The request details can be viewed from the SSL → Certificate request tab, on clicking the domain name of the request.

Close Certificate Request

To terminate the certificate request life-cycle:

Close request

 

7. Control expiry notification schedule

You can customize the periodicity of notifications you receive when a certificate is about to expire. To customize the notifications:

Note : You will receive notifications every day after the selected date before the expiry of a certificate. For instance, if a certificate is about to expire in the last week of a month, and you select the Notify if SSL certificates are expiring within 7 days option, then, you will receive a notification that your certificate is about to expire every day of the week before the expiry of the certificate.

8. SSL certificate group

Key Manager Plus allows you to organize SSL certificates into various logical groups and execute actions in bulk on the groups.

Create certificate groups

To create a certificate group,

Note : If you choose to group certificates based on criteria, the conditions will be applied to certificates discovered in the future and they will automatically be added to groups that match the criteria.

SSL-certificate-group

Edit certificate groups

To make changes to existing certificate groups,

Note : The certificate group name cannot be modified. However, you can add or modify the list of certificates in a group or the description.

SSL-certificate-group

Delete certificate groups

To delete a certificate group,