SSL Certificate Deployment
Overview
In general, SSL certificates procured from Certificate Authorities (CAs) are stored in a repository and then manually deployed on appropriate target systems. Key Manager Plus deploys the certificates from the repository on the correct target systems automatically. You can use Key Manager Plus to deploy the certificates on the various systems individually, or in bulk, based on your requirements. Also, you can use the Key Manager Plus agent to deploy certificates on servers that reside in demilitarized zones outside of the domain where the Key Manager Plus server is present.
1. Steps to Deploy Certificates on Different Target Systems
Follow the below steps to deploy an SSL certificate on various target systems:
1. Navigate to SSL >> Certificates.
2. Select the checkbox beside the certificate to be deployed.
3. Click Deploy.
4. In the drop-down, choose the required server type:
- For deploying certificates on Windows systems, MS Certificate Store and Internet Information Services (IIS), use your domain administrator account as the service login account of Key Manager Plus.
- If you are using a domain service account to run Key Manager Plus, ensure you already have it configured in your local admin group.
1.1 Windows Server
1. To deploy certificates on a Windows server, choose the server type as Windows.
2. Select the Deployment Type as Single, Multiple (servers) or Agent as per your need.
i. For single server deployment, provide the required details: Server Name, User Name, Password, Path, Certificate File Name (optional), Keystore File Name (optional).
ii. If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.
iii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, User Name, Password, Path, Certificate File Name (optional), Keystore File Name (optional)
[OR]
Follow this format to use the Key Manager Plus service account credentials instead: Server name, SERVICE_AUTH, Path, Certificate File Name (optional), Keystore File Name (optional).
3. If you choose the Deployment Type as Agent, choose the host name of the KMP agent from the Select Agent drop-down, enter the destination file path in the agent machine. If a destination path is not mentioned, the agent installation path will be taken as default. You can optionally mention the Certificate File Name, or Store File Name, or both, by enabling the Certificate or/and JKS/PKCS checkboxes, respectively. Click Save to save the agent details.
After providing the details, click Deploy. The certificate is deployed on the specified server/agent in the specified path.
Note:
For file-based deployment, if the Certificate and Keystore file names are not provided, or if multiple certificates are selected for deployment, the Common Name will be used as the file name.1.2 Microsoft Certificate Store
1. To deploy certificates on the MS Certificate store, choose the server type as Microsoft Certificate Store.
2. Select the Deployment Type as Single, Multiple (servers), or Agent as per your need.
i. For single server deployment, provide the required details: Server Name, User Name, Password, Path.
ii. If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.
iii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, User Name, Password, Path.
[OR]
Follow this format to use the Key Manager Plus service account credentials instead: Server Name, SERVICE_AUTH, Path.
3. If you choose the Deployment Type as Agent, choose the host name of the KMP agent from the Select Agent drop-down and click Save to save the agent details. After providing the details, click Deploy. The selected certificates are deployed in Personal Certificates.
1.3 Internet Information Services (IIS)
Follow the below steps to deploy a certificate on the IIS server. However, this procedure will only deploy the certificate to the server; IIS binding must be done separately.
- To deploy certificates on a Microsoft IIS server, select a certificate with a Keystore file and click Deploy >> Internet Information Services (IIS).
- Select the Deployment type as Single, Multiple servers, or Agent as per your need.
i. For single server deployment, provide the required details: Server Name, User Name, Password, Path.
ii. If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.
iii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, User Name, Password, Path.
[OR]
Follow this format to use the Key Manager Plus service account credentials instead: Server Name, SERVICE_AUTH, Path.
3. Specify the name of the IIS server to which the certificate needs to be deployed, provide the user account credentials, and specify a path in the server where the certificate must be placed.
4. Click Deploy. Now, the selected certificate will be deployed to the specified IIS server.
1.4 IIS Binding
Follow the below steps to deploy a certificate to the IIS server and bind the certificate to a site running in that server.
Note: IIS Binding for the Deployment Type Single will work only if the IIS server and Key Manager Plus are in the same domain, which has .Net Framework version 4 or above enabled. However, if an IIS Server resides in a demilitarized zone, choose the Deployment Type as Agent and proceed with the steps for the same given below.
- To deploy certificates on a Microsoft IIS server and perform IIS binding, choose the server type as IIS Binding.
- If you choose the deployment type as Single, enter the required details: Server Name, User Name, Password, Path.
- Specify the name of a valid IIS server to which the certificate needs to be deployed, and provide the user account credentials.
- Specify a path in the server where the certificate must be placed.
- If you select the checkbox Use Key Manager Plus service account credentials for authentication, you need not provide the username and password separately, as the service account credentials used for Key Manager Plus will be used here too.
- If the IIS Server resides in a demilitarized zone, choose the Deployment Type as Agent. Select an agent from the drop-down. Click Get Sites And Bindings to list all sites and their respective bindings available in the selected server. Enter the name of a site in the Site Name field, click Get Bindings to list all the bindings available for that site.
- Here, to add new bindings, click Add New Bindings and enter attributes such as Host Name, Port, IP Address, and select a certificate. The newly added bindings will be visible under Settings >> SSL >> IIS Binding. The new site bindings added in Key Manager Plus will not reflect in the IIS server until they are deployed to the server using the Deploy and Bind option.
- To populate the list of sites associated with the IIS server, click Get Site Names and choose a site from the drop-down. To enter a site name manually in the SiteName field, click Hide List, type in the site name and click the Get Bindings option.
- Enter the Host Name, IP Address and Port of the site manually.
- Select the Restart Site option to restart the site automatically.
- Click Add Binding/Update Binding to deploy the certificate at the path specified in your IIS server and complete IIS site binding.
- To update multiple bindings, select the required bindings from the list, click Save. Go to Settings >> SSL >> IIS Binding, select the bindings and click Deploy and Bind.
- To save the specified details and deploy the certificate later, click Save. The server details and the respective site details will be available under Settings >> SSL >> IIS Binding.
- To edit the binding details, click the Edit icon beside a server. In the window that opens, modify any of the given details and click Save. Now, select the server name and click Deploy And Bind from the top bar. The selected certificate will be deployed on the servers and the IIS binding will be updated in the IIS server.
- Details of sites and IIS bindings displayed in the IIS Binding table above are local to Key Manager Plus. To update the binding entries here with the entries from IIS server, select the required entries and click Update Binding.
- Deleting entries from the above table will not remove any data from the IIS server.
1.5 Linux Server
1. To deploy certificates on a Linux server, choose the server type as Linux.
2. Select the Deployment type as Single or Multiple servers as per your need
i. For single server deployment, provide the required details: Server Name, Port (port 22 is assigned by default), User Name, Password, Path, Certificate File Name (optional), Keystore File Name (optional).
ii. For multi server deployment, upload a .csv file with any one set of the following details: Server Name, Port, User Name, Password, Path, Certificate File Name (optional), Keystore File Name (optional).
- You can also opt for a key-based authentication for password-less servers by choosing the Import Key credential type. Upload the private key associated with the required user account in the target system and provide the key passphrase.
- After providing the details, click Deploy. The certificate is deployed on the specified server in the specified path.
Notes:
- Key-based authentication option is available for single server deployment type only.
- The private key uploaded during key-based authentication is for one-time use only and is not stored anywhere in the Key Manager Plus database. If you wish to add it to the Key Manager Plus repository, you can manually do so by using the Import option from the SSH tab.