Manage SSL Certificates

Overview

SSL certificates can be created, discovered, and stored in the centralized repository of Password Manager Pro, and requests can be raised for new certificates or domain addition to an existing certificate. Moreover, you are notified when a certificate is about to expire to help you with their timely renewal.

Use Password Manager Pro to:

  1. Create, discover, or import self-signed or CA issued certificates in the network.
  2. Generate Certificate Signing Request (CSR).
  3. Add requests for new certificates or adding a sub domain to an existing certificate.
  4. Receive notifications when certificates are about to expire.

Self-signed certificates and CSRs can be generated using RSA / DSA / EC key algorithms and SHA signature algorithm as per the details below:

RSA – 1024, 2048, or 4096 bit keys; & SHA-2 (256, 384, or 512 bit) signature

DSA – 512, or 1024 bit keys; & SHA-1 (160 bit) signature

EC – 128, or 256 bit keys; & SHA-2 (256, 384, or 512 bit) signature

1. Discover certificates in your network

You can automatically discover all the certificates available in your network using Password Manager Pro, irrespective of the CA. You can discover the certificates anytime as needed or periodically based on scheduled tasks. The discovery options are quite flexible - you can discover certificates from a single server or multiple servers, and from multiple ports, at one go.

Discover SSL Certificates On Demand

To discover the certificates manually:

  • Go to Certificates >> Discovery.
  • Click the SSL tab.
  • Select an option for the type of discovery.
    1. Hostname/IP address – Enter the name or IP address of the server from which the SSL certificates are to be discovered.
    2. IP address range – Specify an IP range and discover all the SSL certificates available in the servers falling under the range.
    3. From file – If you have a list of the servers in which certificates are available in your network saved as a text file, it can be loaded directly and all these certificates can be discovered.

Note :  The file to be imported must be a text file containing the hostname or IP addresses of individual servers, entered on separate lines. Enter the ports to scan on each server separated by a space, entered on separate lines as illustrated below:


0.0.0.0

6565

test-username-10

443

192.168.20.20 7272

If you do not specify any port, SSL certificates using the default port 443 will be discovered.

  • Specify values for the Time out and the Port options.
    1. Time out: Refers to the number of seconds the application tries to discover the certificates (each). The default value is 5 seconds.
    2. Port: It refers to the port on the end terminal used for SSH communication. Port 443 is used by default for SSL certificates.
  • Note : You can specify multiple ports for the discovery of SSL certificates in a single discovery instance, separated by commas.

Click the Discover button.When you click the Discover button, you will be redirected to the Discovery Status page where the status of the current discovery instance is updated.

Discover SSL Certificates Automatically Through Schedules

SSL Certificate discovery can also be scheduled to occur at periodic intervals.

  • Navigate to Admin >> SSH/SSL >> Schedule
  • Click the Add Schedule button.
  • In the Add Schedule window, enter a name for the schedule and select the type of schedule as SSL Discovery.
  • Specify the start and end IP addresses and the port on the end terminal to check for SSL certificates.
  • Select the recurrence type – hourly, daily, weekly, monthly, or once only. Set the starting time, date, or day corresponding to the option chosen.
  • Enter the email addresses of the users to be notified. The email settings can be configured from the Settings → Mail Server Settings tab.
  • Click the Save button.

You will get a message confirming addition of a new schedule.

Discover certificates mapped to user accounts in Active Directory

Password Manager Pro helps you discover and manage the certificates mapped to user accounts in Active Directory.

To perform AD user certificate discovery,

  • Navigate to Certificates >> Discovery >> Active Directory
  • Select the required Domain Name, which forms part of the AD from the drop-down.
  • Specify the DNS name of the domain controller. This domain controller will be the primary domain controller.
  • In case, the primary domain controller is down, secondary domain controllers can be used. If you have secondary domain controllers, specify their DNS names in comma separated form. One of the available secondary domain controllers will be used. When you use SSL mode, make sure the DNS name specified here matches the CN (common name) specified in the SSL certificate for the domain controller.
  • Enter a valid user credential (user name and password) of an user account within the particular domain. Then enter the users / user groups / OUs in which you want to perform the certificate discovery and click Import. To perform certificate discovery for groups/OUs as a whole, choose Groups/OU tree Import type and select the required groups from the drop down list.
  • Password Manager Pro also provides an option to import AD users while performing the certificate discovery. Enable the check box Import AD users to import those AD user accounts into Password Manager Pro for which the certificate discovery is done.
  • The discovered certificates automatically get added to the certificate repository of Password Manager Pro.

Manage certificates from MS certificate store and Local CA

Password Manager Pro helps you request, acquire, discover, consolidate, track and manage certificates from MS Certificate Store and those issued by Local certificate authority. Before importing / acquiring certificates from MS Certificate Store and Local CA, ensure that you use your domain administrator account as Password Manager Pro' service logon account.

  • Navigate to Certificates >> Discovery >> MS Certificate Store
  • To discover and import certificates issued by Microsoft CA alone, select Local Certificate Authority option from the drop down. In the process, you can choose to exclude expired / revoked certificates by de-selecting the check-boxes below.
  • To discover all the certificates from MS certificates store, choose Certificate Store type from the dropdown menu.
  • Specify the other details such as the name of the Windows domain controller machine and domain admin credentials.
  • Specify the certificate store name from which the certificates are to be discovered and imported.
    i.e., Following format to be used while specifying the certificate store name:\\server_name\store_name
    e.g., server_name\Root (To discover certificates from trusted root certification authorities)
    server_name\My (To discover personal certificates)
  • Or you can also click Get stores to fetch the list of stores available in the Windows Domain Controller and choose the required certificate store that you want to discover.
  • Click Discover.
  • You can view the discovered certificates in Certificates tab.

Note: During Windows Certificate Store discovery, if the target server name is not specified, choosing Get Stores option will list down all the certificate stores available in the local host.


To request and acquire certificates stored in Local CA from Password Manager Pro, you have to initially generate a certificate signing request, then get it signed from the local certificate authority using the steps mentioned below.

  • Navigate to Certificates >> Create CSR and click Create.
  • In the Create CSR window that opens, fill in the domain details, organization details, choose the key algorithm, key size, signature algorithm, keystore type and specify the validity (days) and keystore password. Click Create. If you want to generate a CSR from an already existing key, choose 'Create CSR From Private Key' option and specify the key location, password and click Create.
  • If you want to generate a CSR from an already existing key, choose 'Create CSR From Private Key' option and specify the key location, password and click Create. 
  • The CSR will be generated and you can view it from Certificates >> Create CSR tab.

You can also get the CSR signed from Microsoft Certificate Authority directly from Password Manager Pro itself.

  • Navigate to Certificates >> Create CSR tab, select the required CSR and click Sign from the options available above the CSR table view.  
  • In the dialog box that opens, provide the name of the server that runs the internal certificate authority, CA name and choose the certificate template based on your requirement. Click Sign.
  • The CSR is signed and the issued certificate can be viewed from Certificates tab.

Additionally, certificates issued by Local CA can be renewed automatically from Password Manager Pro. To enable auto-renewal of Local CA certificates,

  • Navigate to Admin >> SSH/SSL >> Microsoft CA Auto Renewal.
  • Enable MS CA auto renewal task and specify the time interval. The certificates are renewed and updated accordingly.
  • Note:

    • For auto-renewal to take effect, the certificate(s) should be of the type Microsoft CA. This is assigned by default for those certificates that are imported / acquired using Password Manager Pro. But for manual additions, you have to manually change the certificate type to Microsoft CA from Certificates >> Select required certificate(s) >> Edit, for the auto-renewal to take effect.
    • Before generating and signing your CSR, ensure that you use your domain administrator account as Password Manager Pro's service logon account.

The centralized certificate repository

All the discovered SSL certificates, those that are discovered manually as well as those discovered through scheduled discovery operations are automatically added to the centralized repository of Password Manager Pro. You can view these certificates from the Certificates → Certificates tab in the user interface.

Export private key / keystore file

Password Manager Pro allows you to identify and export the private keys / keystore files of SSL certificates stored in the certificate repository, provided you're managing their private keys / keystore files using Password Manager Pro. You can see the Keystore icon () enabled beside the certificates for which the private keys are managed using Password Manager Pro. To export the private key / keystore file,

  • Navigate to Certificates → Certificates
  • Click the Keystore icon () beside the certificate for which you need to export the private key
  • From the dropdown, choose Keystore / PFX or Private key as per your requirement.
  • The keystore file / private key of the corresponding certificate is downloaded

Track and manage various certificate versions

Sometimes, there occurs a situation where you have to use different certificates on different end-servers for the same domain. Under such circumstances, it is necessary for you to track the usage and expiry of all these certificates individually even though they represent a common domain. Monitoring various such certificate versions manually is daunting and error-prone. Password Manager Pro helps you simultaneously track and manage the usage and expiry of various certificate versions from a single window.

To track certificate versions,

  • Navigate to Certificates tab.
  • Click the certificate history icon () present in the right corner of the table view, corresponding to the required certificate.
  • In the certificate history window that opens, choose the certificate version you wish to manage and click the certificate settings () icon. Click Manage Certificate.
  • The particular certificate version is set for managing and Password Manager Pro starts tracking the usage and expiry individually for that version. 
  • Repeat the same procedure for all the certificate versions that you wish to manage.

Update servers with latest certificate versions

In case of wildcard certificates or single SSL certificate deployed to multiple servers, it is necessary to keep track of servers in which the certificate is deployed and also check if the latest certificate version is in use. Password Manager Pro helps you ensure this.

  • Navigate to Certificates --> Certificates tab
  • Click the Certificate History icon () corresponding to the required certificate
  • A window opens listing the various versions of the certificate. Ensure that the latest version of the certificate is set as the main certificate. If not, click the () icon beside the required version to set that version of certificate as main certificate in the Password Manager Pro repository.
  • Then again, navigate to Certificates --> Certificates tab and click multiple servers icon () corresponding to the required certificate.
  • A window opens listing the servers in which the certificate is deployed along with other information such as IP address, port and certificate validity.
  • If any of the servers listed has an older / expired version of the certificate, update it with the latest version immediately. Select the server and then click Deploy. Refer to the detailed deployment procedure here.

Also, you can edit details pertaining to a particular certificate or delete irrelevant certificates by selecting the certificate and clicking the More dropdown.

2. Create Self-signed certificates

Password Manager Pro allows administrators to create their own self-signed certificates using Java keytool. These certificates are automatically imported into the Password Manager Pro repository on successful creation.

To create a self-signed certificate using Password Manager Pro:

  • Navigate to the Certificates→ Certificate tab in the GUI.
  • Click the Create button.
  • Enter the details of the organization and certificate validity, and select the key algorithm and length, signature algorithm, and enter a keystore password in the Create certificate tab.
  • Click the Create button. You will be redirected to the certificate window where the certificate content is displayed.
  • You can copy the certificate content, or export the certificate to required email or system.
    1. Email – Select this check box to send the certificate file via email to the specified mail id.
    2. Export – Select this check box to export the file to your system.
  • Both the options take effect once you click the Save button.
  • You can denominate the certificate to be generated as a root certificate by enabling the Generate root certificate check-box.
  • Click the Save button to save the certificate in the Password Manager Pro repository, and export the certificate file, if opted in earlier step.

3. Generate CSRs

To generate a CSR using Java keytool from Password Manager Pro:

  • Navigate to the Certificates→ Create CSR tab.
  • Click the Create button.
  • To create a new CSR, select the Create CSR button. To create a CSR from an already existing private key, select Create CSR from Private Key button.
  • For new CSR creation, enter the details of the organization and certificate validity, and select the key algorithm and length, signature algorithm, and enter a keystore password in the Create CSR window.
  • Click the Create button. You will be redirected to a window where the CSR content is displayed.
  • For CSR creation from already existing private key, browse and attach the required private key file along with the keystore password and click Create.
  • The CSR is created. You can then copy the CSR content, or export the CSR to required email or system.
    1. Email – Select this option to send the certificate file via email to the specified mail id.
    2. Export CSR / Private Key - You can choose to export the CSR or the corresponding private key alone based on your requirement.
  • You can view the saved CSR from Certificates → Create CSR tab.
  • The 'show passphrase' icon () corresponding to every CSR allows administrators to view the keystore passwords of respective CSR files.

4. Certificate Signing

Password Manager Pro provides the option to sign and issue certificates to all clients in your network either from your Microsoft Certificate Authority or using a custom root CA certificate that is trusted within your environment.

Microsoft CA certificate signing

To request and acquire certificates from Local CA from Password Manager Pro, you have to initially generate a certificate signing request, then get it signed from the local certificate authority using the steps mentioned below.

  • Navigate to Certificates → Create CSR tab. Click Create.
  • In the Create CSR window that opens, fill in the domain details, organization details, choose the key algorithm, key size, signature algorithm, keystore type and specify the validity (days) and keystore password. Click Create. If you want to generate a CSR from an already existing key, choose 'Create CSR from keystore' option and specify the key location, password and click Create.
  • The CSR is generated and you can view it from Certificates → Create CSR tab.

You can get the CSR signed from Microsoft Certificate Authority from Password Manager Pro.

  • Navigate to Certificates → Create CSR tab, select the required CSR and click Sign from the top menu. 
  • In the pop-up that opens, provide the name of the server that runs the internal certificate authority, CA name and choose the certificate template based on your requirement. Click Sign Certificate.
  • The CSR is signed and the issued certificate can be viewed from Certificates → Certificates tab.

Certificates issued by Local CA can be renewed automatically from Password Manager Pro. To enable auto-renewal of Local CA certificates,

  • Navigate to Admin tab → SSH/SSL → Microsoft CA Auto Renewal
  • Enable MS CA auto renewal task and specify the time interval. The certificates are renewed and updated accordingly.

Note : 

  • Start Password Manager Pro using your domain administrator account to begin management of certificates from Microsoft Certificate Store and those issued by your Local CA. If you use a domain service account to run Password Manager Pro, make sure that you have configured it in your local admin group beforehand.
  • During MS Certificate Store discovery, Get Stores option will list all stores available in the local host if the Server Name field is left empty.
  • For MS CA auto-renewal to take effect, the certificate(s) need to be of type Microsoft CA. For manually added certificates, the certificate type needs to be changed to Microsoft CA using Edit option from More top menu.

Sign certificates with custom root CA

Password Manager Pro provides the option to sign and issue certificates to all clients in your network either from your Microsoft Certificate Authority or using a custom root CA certificate that is trusted within your environment.

  • Create a custom root CA
  • Sign certificates with the custom root CA
  • Deploy the signed certificates to target systems

1. Create a custom root CA

To sign locally generated certificate requests with the root CA certificate, you have to initially create a custom root CA.

  • Navigate to Certificates → Certificates tab.
  • Select a certificate and click Mark as Root from the More top menu.
  • The chosen certificate is successfully denominated as a root CA certificate and is listed under the Root Certificate tab. You can then use this certificate to sign locally generated certificate requests.

Note :  You can also generate new root CA certificates from Password Manager Pro by enabling Generate root certificate check-box while creating a certificate from Certificates → Certificates → Create option.

2. Sign certificates with the custom root CA

To sign certificates with the custom root CA, generate a certificate signing request (CSR) and then sign it using the root certificate.

  • Navigate to Certificates → Create CSR tab.
  • Click Create.
  • In the window that opens, enter all the required details and click Create.
  • The CSR is created and is listed under the Create CSR tab.
  • Select the CSR and click Sign from the top menu.
  • Select the Sign Type as Sign with Root, select the root certificate and specify the validity in days. Click Sign.
  • The certificate is signed based on the selected root certificate and is listed under Certificates → Certificates tab.

Also, you can use the root CA certificate to simultaneously generate and sign certificates to user groups in bulk directly from Password Manager Pro.

  • Navigate to Certificate and click Root Certificate on top right corner of the window.
  • Select the required root CA certificate and click Sign. In the pop-up that opens, choose the sign type, user / user groups to which certificates have to be created and deployed, mention the SAN and validity (in days).
  • The sign type User Management allows you to generate and sign certificates for user accounts in Password Manager Pro.
    • Select the user account for which you need to generate a certificate.
    • By default, the user certificates inherit the same parameters as that of the root certificate. You can change it by unselecting the Use root certificate details option.
    • After filling in the details, click Sign.
    • The certificate is signed and you can find listed in Password Manager Pro's certificate repository.

The sign type Active Directory Users allows you to generate and sign certificates to user accounts mapped to the Active Directory within your network environment.

  • Select the Domain Name and provide the primary domain controller address, username and password.
  • Choose import type Single and specify the user groups or use Groups/OU tree import type to choose the users or user groups for which certificates need to be created.
  • After selecting the users, enter the certificate validity in days. By default, the user certificates inherit the same parameters as that of the root certificate. You can change it by unselecting the Use root certificate details option.
  • After filling in the details click Sign.
  • This will generate certificates for the selected users which will be listed in Password Manager Pro' certificate repository.

3. Deploy the signed certificate to target systems

After signing the certificate requests and obtaining the certificate, you have to deploy them to the necessary end-servers. Refer to this section of help for step-by-step explanation on certificate deployment.

Note :  When signing certificates with custom root CA for web-applications, make sure all the browsers in your network are configured to trust the root CA certificate in order to avoid security error messages.

5. Import Certificates

To import the certificates in your network:

  • Navigate to the Certificates → Certificates tab in the GUI.
  • Click the Add button.
  • Click the appropriate radio button in the Add certificate window.
    1. File Based – Browse and import the required certificate file directly from your system.
    2. Certificate content based – Copy the content of the required certificate file and paste it in the text box.
    3. KeyStore based – Import all individual certificates available in a keystore simultaneously. Upload the required Keystore file and enter its corresponding password (if any).
  • Click the Add button.

6. Delete certificates

You can delete the certificates that are currently not in use. To delete a certificate from Password Manager Pro repository:

  • Navigate to the Certificates → Certificate tab.
  • Select the certificates.
  • Click Delete  from the 'More' button.

7. Certificate Requests

The certificate request workflow is as follows:

  • Add certificate request
  • Close certificate request

Add Certificate Request

To add requests for new certificates or addition of sub-domains to existing certificates, in Password Manager Pro:

  • Navigate to the Certificates → Certificate request tab in the GUI.
  • Click the Add Request button.
  • Select the type of request – New Certificate or domain addition.
    1. New Certificate – Attach a CSR to your request (optional) and a domain name for the new certificate.
    2. Add domain – Enter the name of the new domain and select a parent domain from the certificates added to the Password Manager Pro repository.
  • Enter the mail addresses to which you would like to send the request and specify the certificate validity period. These mail addresses can be that of an administrator, an intermediary who handles certificate requests, or even your help desk software to raise the certificate request as a ticket.
  • Click Additional fields to add additional information such as device name and IP address
  • Click the Add Request button to add it to the list of request in the Certificate Request tab and to send the same to the specified email addresses.

Certificate request status

A certificate request is in either of the following statuses.

  • Open
  • Closed

When a certificate request is raised, it is automatically elevated to the Open state. The request details can be viewed from the Certificates→ Certificate requesttab, on clicking the domain name of the request.

Certificate

To terminate the certificate request life-cycle:

  • Navigate to the Certificates→ Certificate request tab in the GUI.
  • Click the Open status link in the right corner of the table against the required open request process.
  • In the Close Request window, add an optional annotation, and attach the certificate issued (optional), specify the e-mail ids of users to whom the certificate is to be sent and click the Save & Close button. Once you click the button, the request is automatically moved to the Closed state.
  • If a SSL certificate is attached while closing the request, the certificate is automatically imported to the Password Manager Pro repository.
  • Also, the issued certificate is e-mailed to the user who raises the request, the user who closes the request and also to those e-mail ids specified at the time of closing the request.

8. Control expiry notification schedule

You can customize the periodicity of notifications you receive when a certificate is about to expire. To customize the notifications:

  • Navigate to the Admin >> SSH/SSL >>  Notifications tab in the GUI.
  • Select the Notify if SSL certificates are expiring within checkbox and the number of days before the expiry of certificate within which you should start receiving notifications.
  • Select the Email or Syslog checkbox and enter appropriate details.
  • Click the Save button.

Note: You will receive notifications every day after the selected date before the expiry of a certificate. For instance, if a certificate is about to expire in the last week of a month, and you select the Notify if SSL certificates are expiring within 7 days option, then, you will receive a notification that your certificate is about to expire every day of the week before the expiry of the certificate.


9. Track Domain Expiration through WHOIS Lookup

Apart from tracking certificate expiration, Password Manager Pro also helps administrators keep a tab on their expiring domain names through an automated WHOIS look up. The domain expiration details fetched through the lookup are displayed in Certificates → Certificates tab against its corresponding SSL certificate. Also, administrators can choose to receive timely email notifications of their expiring domains by configuring it in Admin → SSH/SSL → Notification tab.

How does the WHOIS lookup work?

Fetching domain expiration details requires a two-stage lookup to WHOIS servers from Password Manager Pro. The first lookup provides the details of the WHOIS server with which the domain was registered by its domain registrar. The second lookup provides information about the domain such as owner details, expiration date etc., All these operations are automated the from Password Manager Pro's interface.

Note :  Connection to WHOIS servers requires the use of Port 43. Ensure that port 43 is open in your environment, else the connection would fail and Domain Expiration will be marked Not Available (NA) in the Certificates tab.

10. SSL certificate group

Password Manager Pro allows you to organize SSL certificates into various logical groups and execute actions in bulk on the groups.

Create certificate groups

To create a certificate group,

  • Click the Certificate Group icon in the top-right corner of the Certificates tab.
  • Click Add Group. You will be directed to the Add Certificate Group page. 
  • Provide a name for the certificate group and an optional description. Exercise caution while providing the name since it cannot be changed later.
  • You can choose certificates to be added to a group in either of the following ways:
    • By Specific Certificate - Select the certificates to be added to the group individually and click Save.
    • By Criteria - This serves as a dynamic method of grouping certificates. You will specify various criteria based on which the group will be created. Here, you can choose certificates based on various criteria such as issuer, common name, key algorithm, key size, key length etc., and filter the search in a fine-grained manner based on conditions such as "equals" or "does not equal", "contains" or "does not contain", "starts with" or "ends with". Click the Matching Certificates button at the bottom-right corner to see the corresponding certificates. Click Save. The certificate group is created.
  • Note: If you choose to group certificates based on criteria, the conditions will be applied to certificates discovered in the future and they will automatically be added to groups that match the criteria.


Edit certificate groups

To make changes to existing certificate groups,

  • Click the Certificate Group icon on the top-right corner Certificates tab.
  • Click the edit icon present in the right corner of the table view.
  • You can change the certificate selection type, edit the certificates present in a group or add, modify or delete the filters applied to a group.
  • Once you update the changes and save them, a pop up message will be displayed confirming the updates.
  • Note: The certificate group name cannot be modified. However, you can add or modify the list of certificates in a group or the description.

Delete certificate groups

To delete a certificate group,

  • Click the Certificate Group icon on the top-right corner of the Certificates tab.
  • Select the groups that you want to delete. Click Delete. 
  • A pop-up window will appear asking you to confirm the action. Click OK and the selected certificate groups will be deleted.

©2014, ZOHO Corp. All Rights Reserved.

Top