SSH key, SSL Certificate Management Solution for Enterprises

Frequently Asked Questions

The set of Frequently Asked Questions (FAQs) below, answer some common queries you might have regarding Key Manager Plus. Should you have more questions, feel free to write to us at keymanagerplus-support@manageengine.com.

Setup & Installation

1. What are the basic system requirements (hardware / software) necessary to install Key Manager Plus?

There is no prerequisite software installation needed to use Key Manager Plus. Click here to learn about compatible environments required for installing and operating Key Manager Plus.

2. Where can I find the installation / setup document for Key Manager Plus? I am specifically looking for information related to database and setting it up on a remote SQL server.

Please use the below links for detailed explanation on Key Manager Plus installation and MS SQL database configuration.

3. What are the ports used by Key Manager Plus?

By default, Key Manager Plus uses the following ports for web client and backend database.

  • PostgreSQL (backend database) - Port 53306
  • Web client - Port 6565

4. How to upload server certificate for Key Manager Plus?

Follow the steps mentioned below to upload server certificate for Key Manager Plus.

  • Navigate to Settings → General Settings → Server Certificate
  • Browse for and upload the required certificate file.
  • You can also choose a certificate already stored in Key Manager Plus' certificate repository and set it as the server certificate.
  • Click the Existing Certificate option and choose the required certificate.
  • The chosen certificate is set as Key Manager Plus' server certificate. The change will take effect once you restart the application.

For more details regarding server certificate deployment, click here.

Upgrade Pack

1. What is the procedure to be followed to apply the upgrade pack?

The below link contains detailed explanation on how to apply upgrade pack for Key Manager Plus.

https://www.manageengine.com/key-manager/upgradepack.html

2. Where can I find information about new feature enhancements and bug fixes made between different versions of Key Manager Plus?

We maintain release notes, which records all the new feature enhancements and bug fixes made in every Key Manager Plus release.

https://www.manageengine.com/key-manager/release-notes.html

Resource Discovery

1. Can I perform resource discovery for a range of resources simultaneously?

Yes, you can. Navigate to the Discovery tab and select the discovery type IP Address Range. Provide the starting and ending IP addresses and click Discover. All the accessible resources within the range will be discovered and listed.

2. How can I discover multiple resources with random IP addresses in one go?

Navigate to the Discovery tab and select the discovery type From file. Upload a text file containing a list of host names / IP addresses (along with the port) listed one below another in the format shown below.

0.0.0.0 443,6565
test-username-10 6565,7272,443
192.168.20.20 7272

3. Is there any option to perform resource discovery by providing port range?

No. Currently we don't have provisions to specify port range during resource discovery. This might be available in one of our future releases.

However, you can specify multiple ports during a resource discovery by separating them with commas in the Port field.

For instance:

6565,7272,443

4. When I try to discover certificates issued by Microsoft Certificate Authority, the discovery fails. How do I resolve this?

To successfully discover, import and manage certificates from your Certificate Store and those issued by your Microsoft Certificate Authority (MS CA), make sure that you use your domain administrator account as Key Manager Plus' service logon account. In case you use a domain service account to run Key Manager Plus, make sure you've configured it in the local admin group beforehand. Restart Key Manager Plus after the configurations are made for the changes to take effect then perform MS CA discovery.

For step-by-step explanation on Certificate Store and MS CA discovery, click here. If the issue persists, write to keymanagerplus-support@manageengine.com

SSH Key Management

1. Are there any differences in the way SSH user accounts and SSH service accounts are managed using Key Manager Plus?

No, Key Manager Plus adopts the same approach for managing SSH user accounts and SSH service accounts. The only difference is that during resource discovery, if service / root account credentials are provided to establish connection with the resource, you acquire extended privileges to import and manage keys from all user accounts in the resource. 

Whereas, when connection to the resource is established using user account credentials, you get key management privileges only for SSH keys present in that particular account. 

2. Is there any way to view SSH keys that were not rotated? 

Yes. We have a dashboard that displays the number of keys that were not rotated for the predefined time period as specified in the notification policy. You can drill down from here to obtain further information about these keys by clicking on the widget. 

SSL Certificate Management

1. Is there any certificate type that Key Manager Plus is incompatible with?

No. Key Manager Plus supports all X.509 certificate types.

2. Is it possible to automatically identify and update the latest version of certificates in Key Manager Plus' certificate repository?

Yes. You can create scheduled tasks to perform automatic certificate discovery through which you can import and replace old certificates from target systems with their updated versions in Key Manager Plus' certificate repository. Click here for detailed explanation on schedule creation.

3. Does the Linux version of Key Manager Plus support certificate discovery from Active Directory and MS Certificate Store?

No, it doesn't. The AD User Certificate and MS Certificate Store tabs appear only in the Windows version of Key Manager Plus.

4. Is it possible to track the expiry of certificates with the same common name in Key Manager Plus' certificate repository?

Key Manager Plus differentiates certificates by their common names and records certificates with same common names as a single entry in its certificate repository. We've designed it this way because Key Manager Plus licencing is based on the number of certificates and we don't want customers spending many licence keys for the same certificate. 

However, if there's a need to manage both certificates separately, you can do so by listing it as a separate entry in Key Manager Plus' certificate repository. Once listed, the newly added certificate will be counted for licensing.

To add certificate with the same common name as a separate entry in certificate repository,

  • Navigate to SSL → Certificates and click Certificate History icon on the right side of the table view.
  • Click Certificate Settings icon beside the required version of the certificate and click Manage Certificate.
  • The selected version is listed as a separate certificate in the certificate repository.
  • In case you want to manage only one version of the certificate, click Certificate Settings icon beside the required version and choose Set as current certificate option. The chosen version is set for management.

5. How to import private key for a certificate?

Follow the steps below to import a certificate's private key into Key Manager Plus.

  • Navigate to SSL → Certificates tab.
  • Select the certificate for which you need to import the private key.
  • Choose Import Key option from the More top menu.
  • Browse for the file that contains the private key, enter the keystore password and click Import. The private key is imported and attached to the selected certificate.
SSL Certificate

6. How to deploy a certificate to Certificate Store and map it to the application that uses the certificate?

Key Manager Plus facilitates certificate deployment through which you can deploy certificates from its repository to target server's Microsoft Certificate Store.  

Click here for step-by-step explanation on certificate deployment. 

To map the certificate to its corresponding application, you've to manually restart the server on which the application is running for the change to take effect. 

7. Does Key Manager Plus support subnet based certificate discovery?

No. Key Manager Plus currently doesn't support subnet based SSL certificate discovery. However, this might be available in one of our future releases. 

8. Do you have automatic scheduling for certificate discovery from MS Certificate Store?

No. Currently, Key Manager Plus doesn't support automatic scheduling for certificate discovery from MS Certificate Store. This might be available in one of our future releases.

9. How does Microsoft CA auto renewal process take place?

For MS CA auto renewal to occur, you have to first ensure that the specific setting is enabled in Key Manager Plus. Navigate to Settings → SSL → Microsoft CA Auto Renewal. Enable the auto renewal task, specify the recurring time and hit Save.

Once auto renewal is enabled, certificates in Key Manager Plus which are issued by Microsoft CA and expired / due expiration in 10 days or less are automatically renewed.

Notification Policy

1. I have created a scheduled task for SSL certificate expiration and have configured to receive email notification if certificates are expiring within 30 days, but why am I not receiving any emails?

For receiving email notifications, please make sure that you've configured your mail server details. If not, follow the steps below to configure mail server settings.

  • Navigate to Settings → General Settings → Mail Server in Key Manager Plus' interface.
  • Enter the server name and specify the port used for communication. Enter the username and password for authentication.
  • Enter the "from" and "to" email addresses.
  • Click Test Mail to send a test mail to the specified email address and verify the settings.
  • Click Save. You will get a confirmation message about the updated mail server settings.

2. Are certificate related alert emails generated for all versions of a certificate (the ones that show in "certificate history" also) or only for those certificates listed in Key Manager Plus' certificate repository?

Email notifications are generated ONLY for certificates listed in Key Manager Plus' certificate repository and NOT for different versions of a certificate displayed in "Certificate History" section. 

Let's Encrypt Integration

1. How does the HTTP-01 based automated domain validation work for Let's Encrypt certificate renewals?

Refer to the below help document for detailed explanation on HTTP-01 based automated domain validation.

https://www.manageengine.com/key-manager/help/lets-encrypt-integration.html#Letsencryptchallenge

2. Does Key Manager Plus support Let's Encrypt certificate renewals through automated ACME / DNS-01 authentication with popular DNS services?

Yes. Key Manager Plus (from version 5610) supports automated domain validation through DNS-01 challenge verification (for Azure and Cloudflare DNS), for Let's Encrypt certificate renewals. 

Refer the help section below for detailed explanation on DNS-01 based challenge verification.

https://www.manageengine.com/key-manager/help/lets-encrypt-integration.html

General

1. Are there any REST APIs available to integrate with Key Manager Plus?

Yes. Key Manager Plus provides REST API for all the major functionalities.

Access the link below for detailed REST API documentation.

https://www.manageengine.com/key-manager/help/restapi.html

2. Does Key Manager Plus support management of digital keys other than SSH keys and SSL certificates?

Key Manager Plus houses a key vault called "Key Store" which facilitates the storage and management of any type of digital key. However, the option to discover and import is limited to SSH keys and SSL certificates only and isn't available for other types of digital keys.

3. Are certificates issued by the company's internal certification authority (CA) counted for licensing?

Yes. All types of SSL certificates, SSH keys and any other digital key being managed using Key Manager Plus is taken into account for licensing. There's a dashboard widget "License Details" that provides insights on the type and number of digital identities being managed using Key Manager Plus that will be taken into account for licensing. 

4. Can ManageEngine ServiceDesk Plus (SDP) integrate with Key Manager Plus?

Key Manager Plus provides a CMDB synchronization feature with ManageEngine ServiceDesk Plus, wherein admins can actually export certificate details from Key Manager Plus' certificate repository to ServiceDesk Plus' CMDB and thereby can keep tabs on usage, expiration, and other aspects of SSL certificate management.

For detailed explanation on integration with SDP's CMDB, click here.

5. I get an "encryption key file not available" error in/Wrapper.log file when trying to start / restart Key Manager Plus.

"Error: PMP encryption key file is not available in E:\Manage Engine Key Manager\IPB Key\pmp_key.key INFO | jvm 1 | 2018/05/18 16:25:34 | Error: Exception while initializing PMP Cryptography. java.lang.Exception: PMP encryption key file is not available in E:\Manage Engine Key Manager\IPB Key\pmp_key.key"

The above issue occurs if there is a location mismatch of "pmp_key.key" file configured in "manage_key.conf" file and the actual path of the "pmp_key.key" file. 

To resolve the issue, follow the steps below and then restart Key Manager Plus.

  • Navigate to\Conf folder and look for the file named "pmp_key.key".
  • Copy the pmp_key.key file from\Conf folder and paste it in the path: E:\Manage Engine Key Manager\IPB Key"
  • Restart Key Manager Plus.

This should resolve the startup issue. If you have more queries, feel free to write to us at keymanagerplus-support@manageengine.com

(NOTE: If you wish to change the location of the key file to a different directory, edit the file named "manage_key.conf" from\Conf folder with wordpad/notepad++, provide the new directory location, and move the pmp_key.key to the location specified in the file. Please make sure that "manage_key.conf" file under conf/ folder contains the correct complete path where the "pmp_key.key" file is available.)

6. When trying to access Key Manager Plus from the tray icon in Windows, the following error is thrown:

"Failed to start KeyManager service. REASON: Access is denied."

The occurence of the above error might be because of permission issue. Follow the steps mentioned below and check whether the issue is being resolved. If not, contact us at keymanagerplus-support@manageengine.com.

  • Right click on Key Manager Plus tray icon (SSL Certificate) and click Exit.
  • Then navigate to <KMP Installation Folder> and look for the file "keymanager.exe".
  • Right click on the .exe file and choose Run as administrator option. Doing this will resolve any permission issue and you'll be able to access Key Manager Plus using the tray icon.