Key Manager Plus Agent 

  1. Overview 
  2. Downloading the Agent
  3. Installing the Agent
  4. Managing the Agent 
  5. Discovering SSL Certificates using Agent
  6. Signing Certificate(s) using Agent
  7. Deploying Certificate(s) using Agent
  8. Deploying Certificate(s) in Multiple Servers using Agent
  9. Deleting Agent(s)

1. Overview

Key Manager Plus allows users to discover the SSL Certificates deployed across their network through agents. The agent used to perform certificate management operations on remote machines is dynamically created by the Key Manager Plus server.

2. Downloading the Agent

  1. Navigate to Discovery >> Agents >> Download Windows Agent. You can also download the agent from SSL >> Windows Agent >> Download Windows Agent. 
  2. From the pop up that opens, download the agent based on your server configuration. Also, copy and save the Install Key in a secure location.

agent-based-discovery-1

3. Installing the Agent

Once you have downloaded the agent from Key Manager Plus' web interface, follow the instructions below to install it in the target servers. The downloaded package already contains the necessary configurations needed to perform the required operations. Just ensure the account in the server in which the agent is installed has sufficient privileges to perform certificate discovery.

Note: Starting from build 6680, it is no longer necessary to install agents on the CA server to manage SSL certificates. Instead, agents can be installed on any server as long as the server can connect to the required CA server.

To install Key Manager Plus agent as a Windows service,

  1. Move the zip file downloaded from Key Manager Plus server to the target server.
  2. Unzip its contents and place the file in an unshared folder.
  3. Then, open the command prompt, navigate to the agent installation directory and type the following command: AgentInstaller.exe install <Install Key> by supplying the Install Key stored in the secure location.
  4. The Install Key is revoked after being used for a single installation. If you want to perform another installation of the agent, you need to regenerate the Install Key from the Key Manager Plus server and supply it in the agent server.

To start the agent as a Windows service,

  1. Open the command prompt and navigate to the Key Manager Plus agent installation directory.
  2. Then execute the following command: AgentInstaller.exe start
  3. On successful installation, you can find the Key Manager Plus agent running as a service in the target server.

To stop the agent,

  1. Open the command prompt and navigate to the Key Manager Plus agent installation directory.
  2. Then execute the following command: AgentInstaller.exe stop

4. Managing the Agent

Key Manager Plus provides administrators insights about agent activity and allows management of agents installed on various target resources.

To manage Key Manager Plus agents,

  1. Navigate to SSL >> Windows Agent.
  2. In the window that opens, you will be able to see a list of Key Manager Plus agents installed on remote resources along with insights such as IP address, User Name, Version, Installed TimeHeartBeat IntervalLast HeartBeat, and last Operation performed.
  3. If you want to delete an agent, you can do so by choosing the agent and clicking Delete from the top menu.

windows-agent

5. Discovering SSL Certificates using Agents

Navigate to Discovery >> Agent and select the Agent or navigate to SSL >> Windows Agent, select the Agent and click Discovery. In the pop-up that appears, use any of the provided discovery methods to discover the SSL certificates:

  1. Choose DMZ to discover certificates from servers in the demilitarized zone.
    1. If you choose to discover by DMZ, select the Discover by method as Hostname / IP Address or IP Address Range.
    2. Mention the Hostname/IP Address, Time out value, Port, and click Discover.

    1. Note:
      Server Name and Certificate Authority fields are applicable for Microsoft Certificate Authority only from build 6680 onwards.
      From build 6680 onwards, Key Manager Plus agent can be installed on any server, provided the server has access to connect to the Microsoft CA server. Enter the Microsoft CA server name in the Server Name field.

kmp-agent-ssl
The certificates are successfully discovered and imported into Key Manager Plus' centralized certificate repository. You can view them from SSL >> Windows Agent.

After certificate discovery, click the Host Name of an agent to view all certificates associated with that particular agent.


6. Signing Certificate(s) using Agent

  1. Navigate to SSL >> Windows Agent and select the required agent and click Sign.
  2. In the dialogue box that opens, enter the Server Name and the Certificate Authority.

    Note:
    Server Name and Certificate Authority fields are applicable for Microsoft Certificate Authority only from build 6680 onwards.
    From build 6680 onwards, Key Manager Plus agent can be installed on any server, provided the server has access to connect to the Microsoft CA server. Enter the Microsoft CA server name in the Server Name field.

  3. Select the Certificate Template or click Get Templates link to get new templates.
  4. Mention the Agent Time out in seconds within which the agent should respond. If the agent doesn't respond within the timeout period, the operation will be audited as failed.
  5. Select the CSR from the dropdown and click Sign.
kmp-agent-sign

Now the certificates are successfully signed and will be available to the repository.

7. Deploying Certificate(s) using Agent

  1. Navigate to SSL >> Windows Agent and select the agent.

    kmp-agent-deploy-1
  2. Click Deploy and select the required server from the drop-down. 
  3. If you choose Windows(using agent), select the Certificate Group, mention the Path and select the checkboxe(s) certificate and/or JKS/PKCS based on your requirement to select File Type or/and Keystore Type and click Deploy.
  4. If you choose MS Store(using agent), select the Certificate Group and click Deploy.
  5. If you choose IIS(using agent), select the Certificate Group and click Deploy.
  6. If you choose IIS Binding(using agent), select the Certificate Group, mention the Site Name and click Get Bindings.
  7. Click Manage link to manage the certificate group.
  8. Click Save to save the changes.
  9. Now, the certificates will be deployed and will be available under SSL tab.

8. Deploying Certificate(s) in Multiple Servers using Agent

  1. Navigate to SSL >> Certificates tab and click multiple servers icon corresponding to the required certificate.
  2. A window opens listing the servers in which the certificate is deployed along with other information such as IP address, Port and certificate validity, Host Name, Serial Number at Host and Sync Status.
  3. The DNS name should be same as the Agent's name and this agent should be running under the DNS server.
  4. To modify the Server details, click credentials icon corresponding to the required certificate.
    1. Select the Server Type(using agent) and select the required Agent.
    2. Mention the Path and select the required checkbox(es).
    3. If you select Certificate, select the File Type and enter the Certificate File Name.
    4. If you select JKS/PKCS, select the Keystore Type and mention the Store File Name.
    5. If you choose the Server Type as Microsoft Certificate Store, select Computer and/or User account to deploy the certificate to the selected account.
    6. Now, select Enable PrivateKey Export from MS Certificate Store after deployment to export private key from the certificate store.
    7. Click Save. 
  5. To edit a deployed server, click edit icon corresponding to required certificate.
    1. In the pop-up that appears, you will be able to edit the DNS Name, IP Address and Port.
    2. You can choose to Deploy Certificate to all servers on Auto Renewal. 
    3. Click Save.

      Note: You will be able to deploy certificate to all servers on auto renewal only if the user credentials are available.

  6. To auto deploy certificates after renewal, select the desired certificates and click the Edit button.
    1. Select Deploy Certificate on Auto Renewal and click Save in the pop-up that appears. 
  7. To check the Sync Status using the agent, select the desired certificates and click the Edit button.
    1. Select Sync Check With Agent and click Save.
  8. Click Add to Add Deployed Servers. 
    1. In the pop-up that appears, mention the DNS Name, IP Address and Port.
    2. You can choose to Deploy Certificate to all servers on Auto Renewal.
    3. Click Save.
    4. You can also add deployed servers from SSL >> Certificates >> More >> Add Deployed Server.
    5. Now, the certificates have been successfully deployed using agent. To know more about SSL certificate deployment click here.

      multiple-server
  1. To check the Sync Status of the server, select a server and click Check Status on the top pane.
  2. Now, Key Manager Plus will check the Sync Status and will display it on the corresponding server's column.
multiple-server-1


9. Deleting Agent(s)

  1. Navigate to SSL >> Windows Agent and select the required Agent(s) to be deleted and click Delete.
  2. Click Ok in the pop-up that appears.
  3. The certificate will be deleted from the list.
Top