Integration with Entrust Certificate Authority
Key Manager Plus seamlessly integrates with Entrust Certificate Authority, a prominent provider of SSL/TLS certificates and digital identity solutions. This integration harnesses the Entrust API, empowering users to effortlessly - request, acquire, import, renew, and reissue certificates directly from the Key Manager Plus web interface. Streamline the lifecycle management of certificates in your environment by leveraging a range of operations supported through this integration.
Prerequisite:
Add the following base URL and port as an exception in your firewall or proxy to ensure Key Manager Plus is able to connect to Entrust's CA Services.
URL: https://api.entrust.net/enterprise/v2/
Port: 443
This document guides you through the steps to effectively handle the lifecycle of SSL/TLS certificates issued by Entrust CA, encompassing tasks such as importing existing orders, creating new certificate requests, and managing the certificates.
Refer to the sections that follow to learn more about Entrust integration and certificate management with Key Manager Plus:
- Entrust Certificate Authority Details in Key Manager Plus
- Import Existing Entrust Orders
- Create a New Certificate Order
- Update Certificate Status
- Check Order Status
- Renew, Reissue, Revoke, and Delete Certificates
1. Entrust Certificate Authority Details in Key Manager Plus
To begin managing SSL certificates issued by Entrust from Key Manager Plus, you must add your Entrust account in Key Manager Plus via your unique API Key. If you do not have an Entrust account, contact the Entrust team to sign up and get your login credentials. Once you have your allocated Entrust account, follow the steps below to generate an API key to begin the integration process.
- Log in to your Entrust account.
- Navigate to Administration >> Advanced Settings >> API and click Generate credentials.
- In the dialogue box that opens, enter the API Key details and click Generate.
- Upon generation, you will get a username and an API Keyto use the Entrust platform via REST API.
Note: Refer to this Entrust documentation for more information.
Now, log into the Key Manager Plus web interface, and add your Entrust credential with the unique username and API key by performing the below steps:
- Navigate to Integrations >> Public CA Integrations >> Entrust and click Manage.
- In the new page that appears, click Add to add an Entrust credential.
- In the dialogue box that opens, enter the Credential Name, User Name, and API Key and click Save. This is a one-time operation. You can also click Test Login to check the communication between the Entrust and the Key Manager Plus interface.
Once your Entrust account details are linked to Key Manager Plus, the system retrieves vital information such as domains, organizations, and products (certificate profiles) and organizes them under the individual tabs with corresponding details. These details are crucial as Entrust issues certificates based on them. For further manual synchronization, use the Sync option under each tab for Organizations, Domains, and Products. Alternatively, you can also sync Organizations, Domains, or Products for a particular credential directly from the Credentials tab.
2. Import Existing Entrust Orders
If you have an active Entrust account, it is likely that you currently have ongoing certificate orders. Key Manager Plus offers the convenience of not only initiating new certificate orders but also importing and effectively managing all existing orders from the Entrust portal through its user-friendly interface. To import the existing certificate orders:
- Navigate to the Integrations >> Public CA Integrations >> Entrust window in Key Manager Plus.
- Click More >> Import Existing Orders from the top menu.
- Select the API Credential, enable the necessary exclusions, and click Import.
This process ensures that all the prevailing certificate orders linked to your Entrust account are seamlessly imported into Key Manager Plus for streamlined management.
3. Create a New Certificate Order
Once you have successfully linked your Entrust account with Key Manager Plus, you can start creating new certificate orders directly from the Key Manager Plus interface.
To place a new certificate order in Entrust from Key Manager Plus:
- Navigate to the Integrations >> Public CA Integrations >> Entrust tab and click Order Certificate.
- In the window that opens, select the Credential Name, Organization, Product, Domain, and Extended Key Usage attributes accordingly.
- Select the CSR from Key Manager Plus and provide the corresponding Private Key and Private Key Password as desired. You also have the option to either paste the CSR content directly or choose the CSR created via Key Manager Plus, eliminating the need to select it from your local files.
- Select the required Signature Algorithm and Expiration Date.
- Enter the Certificate Friendly Name, Requester Name, Email, and Phone accordingly as required.
- Complete any additional fields mandated by your Entrust administrator to proceed with creating the certificate order.
- Enable the following checkboxes as required:
- I agree to queue the request for Entrust Administrator approval - The certificate order request will be queued for approval by an Entrust administrator.
- I agree to send the certificate content for CT Logs - The contents of the certificate, including host names, will be publicly visible.
- Verify your details and click Order Certificate.
Note: If you find any mismatch in the Entrust-related details (Organization/Product/Domain) displayed here, please verify the details in the Entrust portal and then perform a manual sync under Entrust >> Manage in the Key Manager Plus interface to refresh the details. For assistance with any other discrepancies related to the Entrust account, please contact the Entrust customer support team.
4. Update Certificate Status
Utilize the Update Certificate Status option to validate certificates based on your specific needs. Approve, Decline, Suspend, or Resume certificate orders as necessary. Please note that administrative privileges from an Entrust credential are essential within Key Manager Plus to execute these actions. If an administrative privileged credential is not present in Key Manager Plus, the user possessing administrative privileges in Entrust can alternatively perform these actions directly through the Entrust portal.
5. Check Order Status
Once a certificate order is successfully created, you can view it under the Integrations >> Public CA Integrations >> Entrust window, with its status displayed to the right. To track the certificate availability for an order, select the order and click Check Order Status from the top pane. Once a certificate is issued, it is fetched and added to the Key Manager Plus certificate repository. You will be able to view it under SSL >> Certificates.
Note: Beware that the certificates issued are automatically added to Key Manager Plus only if you have the required license count. If not, you must renew your Key Manager Plus license before attempting to import any certificates. However, it does not delete the certificate request from Entrust - the certificate can still be viewed and managed from the Entrust portal.
6. Renew, Reissue, Revoke, and Delete Certificates
If the private key associated with a certificate is compromised or lost, it is essential to renew, reissue, revoke, or delete the certificate accordingly to maintain security best practices. You can do directly perform these actions in Key Manager Plus using the Entrust integration with a valid privileged Entrust credential.
6.1 Manual Certificate Renewal
Perform the following actions to manually renew an Entrust-issued SSL certificate through Key Manager Plus:
- Navigate to Integrations >> Public CA Integrations >> Entrust.
- Select the desired certificate and click Renew Certificate from the top menu.
- Enter the required information on the subsequent page and click Renew Certificate.
- Upon successful validation, the certificate will be renewed and added to the Key Manager Plus certificate repository.
Ensure that the renewed certificate is deployed in the exact location where the previous certificate was in use. This step is crucial to maintain a secure and consistent connection. Follow the instructions specified here, to ensure a proper certificate deployment.
6.2 Automated Certificate Renewal
Before configuring the auto-renewal process for Entrust-issued SSL certificates, perform the following actions:
- Navigate to Integrations >> Public CA Integrations >> Entrust >> Manage.
- Click the View Custom Fields icon of a credential.
- Click the Sync button to import any newly added custom fields from Entrust into Key Manager Plus.
- On the Custom Fields page, click Set Custom Field Values to add the default values to the Entrust custom fields.
- You can either enter the default values or enable the Ignore the Default Value if the custom field has an existing value checkbox to use the existing value associated with the respective custom field during certificate renewal.
- Click Save to apply the changes.
Follow these steps to configure the auto-renewal process for the desired Entrust-issued SSL certificates:
- Navigate to Integrations >> Public CA Integrations >> Entrust >> Manage.
- On the page that appears, click the Auto-Renewal tab and toggle on the Auto-Renew button.
- Enter the number of days before expiry when the auto-renewal process should be carried out.
- Select the certificates you want to auto-renew and set the validity.
- Click Save to apply the auto-renewal configuration for the selected Entrust certificates.
- Tick the checkbox below the Save button to trigger email notifications for auto-renewal failures.
Note: Do not attempt to manually renew the orders that are configured with the Auto-Renewal process.
Key Manager Plus will carry out the auto-renewal process based on the configured details for the selected SSL certificates. Click the Auto-Renewal Audit option for insights about the certificates renewed through the auto-renewal process.
6.3 Reissue Certificate
Reissuing a certificate in Key Manager Plus generates a new certificate with the same information, such as organization name, domain name, expiry date, etc, with a new key pair, thus preventing unauthorized access and misuse of the compromised key. To reissue a certificate,
- Navigate to Integrations >> Public CA Integrations >> Entrust.
- Select the required certificate and click Reissue Certificate from the top menu.
- On the page that opens, fill in the necessary information and click Reissue Certificate.
- Upon successful validation, the certificate will be issued and automatically included in the Key Manager Plus certificate repository.
Ensure that the reissued certificate is deployed in the exact location where the previous certificate was in use. This step is crucial for maintaining a secure and consistent connection. Follow the instructions carefully to ensure proper deployment.
6.4 Revoke Certificate
To revoke a certificate from Key Manager Plus, perform the following action:
- Navigate to Integrations >> Public CA Integrations >> Entrust.
- Select the required certificate and click More >> Revoke Certificate from the top menu.
- Upon successful action, the certificate will be revoked. Go to the SSL >> Certificates tab and delete the certificate to remove it from the Key Manager Plus repository.
6.5 Delete Certificate Order
To delete the certificate order from Key Manager Plus, perform the following action:
- Navigate to Integrations >> Public CA Integrations >> Entrust.
- Select the required certificated orders and click More >> Delete from the top menu.
- Upon execution, the certificate orders will be deleted from Key Manager Plus and the related certificate will remain intact in the SSL tab.
Note: Please note that the Delete option only removes the certificate order from the Key Manager Plus interface, and you can no longer manage it from Key Manager Plus. However, it does not delete the certificate order from Entrust - the certificate can still be viewed and managed from the Entrust portal.