Top

End-to-End Lifecycle Management of Trusted CA Certificates

Key Manager Plus facilitates end-to-end life cycle management of certificates obtained from trusted certificate authorities (CAs) enabling users to acquire, consolidate, deploy, renew and track certificates issued by commercial CAs from a single interface. This functionality powered through a seamless API integration with The SSL Store™—the largest platinum partner of world's leading CAs—provides users the option to acquire and manage certificates from the following third-party CAs using Key Manager Plus: Sectigo (formerly Comodo CA), Symantec, Thawte, GeoTrust, and RapidSSL.

Before you proceed with the integration, complete the following step as a prerequisite:

Prerequisite

Add the following base URL and port as an exception in your firewall or proxy to ensure Key Manager Plus is able to connect to the SSL Store's CA Services.
URL: https://api.thesslstore.com/rest/ 
Port: 443

Follow the steps below to place certificate orders, acquire, consolidate, deploy and manage trusted third-party CA certificates from Key Manager Plus.

  1. Set API authentication credentials in Key Manager Plus
  2. Place a certificate order
  3. Domain Control Validation, Certificate Issue & Deployment
  4. Renew, Reissue & Delete

1. Set API authentication credentials in Key Manager Plus

The first step to request and manage third-party CA certificates from Key Manager plus is to sign up for an exclusive enterprise account at The SSL Store™ portal and configure the API credentials generated subsequently in Key Manager Plus' interface. To set up an Enterprise account with The SSL Store™,

2. Place a certificate order

Once you have configured your API authentication credentials, you can now leverage The SSL Store™'s API to generate certificate signing requests (CSRs), place orders, procure, and manage certificates from any of the following certificate authorities directly from Key Manager Plus: Sectigo, Symantec, Thawte, GeoTrust, and RapidSSL.

To generate a CSR and place a certificate order,

Note:

  • Key Manager Plus allows you to import the already existing certificate orders placed within your account from The SSL Store™ and track their statuses. Click Import Existing Orders from the More top menu to import the existing open orders into Key Manager Plus.
  • Also, you can preconfigure your organization details under Manage to refrain from providing it every time you place an OV / EV certificate order.

2-1. Configuring your DNS account

If you are opting for DNS based domain validation in the certificate order, you should configure the DNS account in Key Manager Plus and specify it in the 'DNS' field in the order for automating the challenge verification procedure. To configure your DNS account,

For Azure DNS,

For Cloudflare DNS

Note:

For DNS based domain validation type, if you are going to specify an already configured DNS account in the certificate order for domain control validation, make sure its status is marked Enabled under Manage → DNS.

For AWS Route 53 DNS,

To grant the required permissions,

RFC2136 DNS Update

If you are using open source DNS servers such as Bind, PowerDNS etc., that support RFC2136 DNS update, follow the steps below to automate DNS-based domain control validation procedure using Key Manager Plus. 

3. Domain Control Validation, Certificate Issue & Deployment

Once the certificate authority receives your order, you will have to go through a process called Domain control validation (DCV) and prove your ownership over the domain upon the completion of which you will receive the certificate. Key Manager Plus supports all the three DCV methods:

E-mail based domain control validation

Click here for more details on certificate deployment.

File / HTTP based domain control validation

This entire process of deploying the challenge file in the end-point server can be automated from Key Manager Plus. This can be achieved by configuring the server details in the Deploy tab under Manage. To automate domain control validation,

Installing Key Manager Plus agents for Windows server:

To install Key Manager Plus agent as a Windows service

  • Open the command prompt and navigate to the Key Manager Plus installation directory.
  • Execute the command 'AgentInstaller.exe start.'

To stop the agent and uninstall the Windows service

  • Open the command prompt and navigate to the Key Manager Plus installation directory.
  • Execute the command 'AgentInstaller.exe stop.'

DNS based domain control validation

Similar to the HTTP challenge, the entire challenge verification process can be automated from Key Manager Plus. This can be achieved by configuring the server details in the Deploy tab under Manage. To automate domain control validation,

Note:

  1. For DNS based domain control validation, if you had chosen a DNS account configured under Manage → DNS when placing the order, Key Manager Plus automates challenge verification using that account. Instead, if you have already configured the domain and server details under Manage → Deploy, the challenge verification, and subsequently the deployment of certificates is carried out for that specific domain and server alone.
  2. For RFC2136 DNS update, if you have opted Global DNS configuration, the domain name itself acts as the zone name (Global DNS configuration is possible only if you are using the same Key Secret for all zones). Whereas, if you have opted domain-agent mapping, you have to provide the Zone name, Key Name, and Key Secret for each domain separately.

 

4.Renew, Reissue & Delete

You can renew, request reissue or delete certificate orders placed to third-party certificate authorities from Key Manager Plus.

To renew a certificate,

To request for a certificate reissue,

Note: You can request a reissue only for those certificates requested from Key Manager Plus and not for the imported orders.

To delete a certificate request,

Note: When a certificate request is deleted, it is removed only from Key Manager Plus. You can find the order being open in The SSL Store™ website for your account and you can import it into Key Manager Plus if needed using The SSL Store™ → More → Import option.

Disclaimer: The procurement of public CA certificates from Key Manager Plus can be successfully completed only if the user has signed up for an exclusive enterprise account with The SSL Store™. Key Manager Plus imports certificates after issue using The SSL Store™'s API for providing better PKI management functionality. All personal information (including payment details) is collected and processed by The SSL Store™ and ManageEngine is not responsible for any payment related issues. Please contact The SSL Store™ technical support team if you are facing any difficulties with payment and procurement of certificates from public CAs affiliated with The SSL Store™ using Key Manager Plus.