Integrating GlobalSign with Key Manager Plus

Key Manager Plus facilitates integration with GlobalSign signing authority, making it possible for enterprises to automate the end-to-end management of web server certificates signed and issued by GlobalSign from a centralized platform. This document discusses the steps to manage the life cycle operations of SSL/TLS certificates issued by GlobalSign directly from the Key Manager Plus web interface—right from importing existing orders, certificate requests, and provisioning, to deployment, renewal, and thereupon.

Before you proceed with the integration, complete the following step as a prerequisite:

Prerequisite

Add the following base URL and port as an exception in your firewall or proxy to ensure Key Manager Plus is able to connect to GlobalSign's CA Services.
URL: https://system.globalsign.com/kb/ws/v1
Port: 443

  1. Adding GlobalSign Account into Key Manager Plus
  2. Placing a Certificate Order in GlobalSign from Key Manager Plus
  3. Domain Control Validation, Certificate Issue & Deployment
  4. Managing GlobalSign Certificate Orders

1. Adding GlobalSign Account into Key Manager Plus

To manage the GlobalSign SSL certificates directly from Key Manager Plus, it Is essential to add the GlobalSign account into the Key Manager Plus.

Navigate to Integrations >> GlobalSign >> Manage >> Accounts and enter your GlobalSign Credentials for authentication. Once your GlobalSign account is verified and added, you may proceed with the subsequent operations. If the GlobalSign account fails to get added to Key Manager Plus, contact GlobalSign support, get an exception for the user's IP address, and try again. In case of account add failure, the IP address will be available in the Audit section.

globalsign-1

Certificate orders requested via GlobalSign from Key Manager Plus have to undergo domain control validation (e-mail-based, File or HTTP-based, or DNS-based Domain Control Validation) to prove ownership over the domain. If you are opting for DNS-based domain validation for a certificate order, you should configure the DNS account priorly in the DNS tab and specify it in the DNS field of the certificate order to automate the challenge verification procedure.

From the DNS tab, click Add. In the pop-up that opens, choose the DNS Provider. You can add a maximum of one DNS account for each DNS provider supported. Key Manager Plus currently supports automatic domain control validation for Azure, Cloudflare, Amazon Route 53 DNS, RFC2136 DNS update, GoDaddy DNS, and ClouDNS.

a. Azure DNS

If you have selected Azure DNS as the DNS provider,

  1. Provide the Subscription ID, which is available on the Overview page of the Azure DNS zone.
  2. Provide the Directory ID, which is available in Azure Active Directory >> Properties.
  3. If you have an already existing Azure application, provide its Application ID and Key.
  4. If not, follow the steps mentioned in this document to create the Azure application and key, and give the application access to the DNS zones for making API calls.
  5. Finally, enter the Resource Group Name, which is the group name in which you have created the DNS zone, and click Save.
  6. Your DNS account details are saved and listed under Manage >> DNS.

b. Cloudflare DNS

If you have selected Cloudflare DNS as the DNS provider,

  1. In the Email address field, specify the email address associated with the Cloudflare account.
  2. For Global API Key, use the Generate API key option in the domain overview page of the Cloudflare DNS to generate the key and paste the value in this field.
  3. Click Save. Your DNS account details are saved and listed under Manage >> DNS.

Note: For the DNS-based domain validation type, if you are going to specify an already configured DNS account in the certificate order for domain control validation, make sure its status is marked Enabled under Manage >> DNS.


c. AWS Route 53 DNS

If you have selected AWS Route 53 DNS as the DNS provider,

  1. Generate and specify the Access Key ID and Secret associated with your AWS account.
  2. If you do not have an AWS account, create one and generate the Access Key ID and Secret by following the steps given below:
    1. Log in to the AWS console and navigate to IAM Services >> Users.
    2. Click Add user.
    3. Provide the user name and select the access type as Programmatic access.
    4. Switch to the next tab, click Attach existing policies directly under Set Permissions, and search for AmazonRoute53FullAccess.
    5. Assign the policy that is listed and switch to the next tab.
    6. In the tags section, add appropriate tags (optional) and switch to the next tab.
    7. Review all the information entered and click Create user.
    8. The user account is created and subsequently, an access key ID and a secret are generated. Copy and save the key ID and secret in a secure location for it will not be displayed again.
  3. If you already have an AWS user account, you have to grant AmazonRoute53FullAccess permission to the user and generate the access key if the user doesn't have one. And if the user account has an access key associated already, it is just enough to ensure the required permission is granted.

To grant the required permissions, follow the below steps:

  1. Navigate to the Permissions tab, select the required user account, and click Add Permission.
  2. Click Attach existing policies directly under Set Permissions and search for AmazonRoute53FullAccess.
  3. Assign the listed policy and hit Save.
  4. To generate the access key,
    1. Select the particular user account and navigate to the Security Credentials tab.
    2. In the window that opens, click the Create access key.
    3. An access key ID and a secret is generated. Copy and save the key ID and secret in a secure location for it will not be displayed again.

d. RFC2136 DNS Update

If you are using open-source DNS servers such as Bind, PowerDNS, etc., that support RFC2136 DNS update, follow the steps below to automate the DNS-based domain control validation procedure using Key Manager Plus.

  1. Enter the DNS Server IP / Host Name. The DNS Server IP / Host Name represents the server name / IP address in which the DNS server is installed or running. These details are usually found in the server installation directory. For instance, in the case of the Bind9 DNS server, you can find these in the file named.local.conf in the server installation directory.
  2. Provide the Key Secret, which is nothing but the key content found in the server installation directory.
  3. Provide a name for the key, choose the Algorithm, and click Save.


e. GoDaddy DNS

If you are using GoDaddy DNS for DNS validation, follow the steps below to automate the DNS-based domain control validation procedure using Key Manager Plus:

  1. Go to the GoDaddy developer portal and switch to the API keys tab.
  2. Log in to your GoDaddy account if you are not logged in already.
  3. Once you log in, you will be redirected to the API keys page where you can create and manage API keys.
  4. Click Create New API key.
  5. Provide your application name, choose the environment type as Production, and click Next.
  6. The API key and its secret are generated. Copy and save the secret in a secure location, as it will not be displayed again.
  7. Now, navigate to Integrations >> Public CA Integrations >> GlobalSign >> Manage >> DNS and click Add.
  8. Choose GoDaddy from the DNS Provider drop-down menu.
  9. Enter the Key and Secret that was previously generated from the GoDaddy portal.
  10. Click Save.


f. ClouDNS

If you are using ClouDNS for DNS validation, follow the steps below to automate the DNS-based domain control validation procedure using Key Manager Plus:

  1. Login to your ClouDNS account and go to Reseller API.
  2. If you have already created an API user ID, you will find it under API Users. If not, click Create API to generate a new one.
    Click here to learn more about ClouDNS API Auth IDs.
  3. Now log in to the Key Manager Plus, navigate to Integrations >> Public CA Integrations >> GlobalSign >> Manage >> DNS, and click Add.
  4. Choose ClouDNS from the DNS Provider drop-down.
  5. Choose one of the following options: Auth ID, Sub Auth ID, Sub Auth User.
  6. Enter the chosen ClouDNS Auth ID, and its respective Auth Password, and click Save.

g. DNS Made Easy

  1. Enter the name of your choice in the Name field.
  2. The Key and the Secret will be available on the DNS Made Easy webpage under Config >> Account Information. Enter those details in the respective fields.
  3. Now, click Save to save your DNS account details. The saved DNS details will be listed under Manage >>DNS.
    dnsmadeeasy

If you have pre-validated domains in the GlobalSign portal you can skip the domain validation process by opting the GlobalSign's Managed SSL services (MSSL) during the certificate order creation by selecting the Profiles, Domains, and Products.

To opt for this during the certificate order creation, it is essential to sync the Domains and Profiles from the respective tabs before creating the certificate order.

2. Placing a Certificate Order from Key Manager Plus

Once you have configured your GlobalSign credentials, you can now leverage GlobalSign's API to generate certificate signing requests (CSRs), place orders, procure, and manage certificates directly from Key Manager Plus.

To create a new certificate order in GlobalSign with a Domain Control Validation, follow the below high-level steps:

  1. Navigate to Integrations >> Public CA Integrations >> GlobalSign and click Order Certificate.
  2. In the window that opens, select the GlobalSign account Credentials and enter the Common Name, Product Name, SSL Certificate Type, Domain Validation Type, and Validity.
    • If the Product Name is chosen as Domain SSL, enter the SSL Certificate Type as Single or Wildcard.
    • For any Product Name other than Domain SSL, provide the UCC SAN, and Validity for the same.
    • Key Manager Plus supports all three domain control validation methods: DNS-based, File-based, and Email validation.
    • If you have selected Domain Validation Type with Email, the approver email ID is the email ID to which Domain Control Validation (DCV) verification mail will be sent. The approver email ID should take either of the following formats:
      <admin@domain>, <administrator@domain>, <hostmaster@domain>, <webmaster@domain> or <postmaster@domain>
      Any administrator, registrant, tech, or zone contact email address that appears on the domain’s WHOIS record and is visible to the CA system.
  3. Provide the Signature Algorithm, Algorithm Length, Keystore Type, Keystore Password, Primary Contact and Secondary Contact details. Users also have the option to import and use an already existing CSR or private key.
  4. Provide the organization details (applicable for organization validation and extended validation order types only), administrator contact details, and contact details of the technician placing the certificate order.
  5. After filling in all the required details, click Create.
    globalsign-3

You will be taken to a window where you can see the list of certificate orders placed along with their statuses displayed to the right of the table view.globalsign-2

To create a new certificate order using Managed SSL (MSSL) with pre-validated domains, follow the below-level steps:

  1. Navigate to Integrations >> Public CA Integrations >> GlobalSign and click Order Certificate.
  2. In the window that opens, select the GlobalSign account Credentials and select the Profile, Domain, Product, and Base Options.
  3. Enter the Common Name and the relevant Subject Alternative Names (SAN) based on the selected SSL product.
  4. Provide the Algorithm Length, Keystore Password, Validity, and Admin Contact details. Users also have the option to import and use an already existing CSR or private key.
  5. After filling in the required details, click Create.
    globalsign-3

You will be taken to a window where you can see the list of certificate orders placed along with their statuses displayed to the right of the table view. Certificate orders created under MSSL do not require domain validation using file-based, email-based, or DNS.

Note: Key Manager Plus allows you to import the already existing certificate orders placed within your account from GlobalSign and track their statuses. Click Import Existing Orders from the More top menu to import the existing open orders into Key Manager Plus.


3. Domain Control Validation, Certificate Issuance and Deployment

Note: This procedure is not applicable for the certificate order created under Managed SSL (MSSL).

Once the certificate authority receives your order, you will have to go through a process called Domain Control Validation (DCV) and prove your ownership over the domain upon the completion of which you will receive the certificate. Key Manager Plus supports all the three DCV methods:

  1. E-mail-based Domain Control Validation
  2. File or HTTP-based Domain Control Validation
  3. DNS-based Domain Control Validation

3.1 E-mail-based Domain Control Validation

In email-based domain control validation, the certificate authority sends a verification email to the approver email ID specified when placing the certificate order. The email will guide you through the steps that need to be performed in order to complete the domain control validation procedure.

After completing the steps,

  1. Go to the Key Manager Plus server, and navigate to the GlobalSign window.
  2. Select the order and click Verify from the top menu.

Upon successful verification, the certificate authority issues the certificate, which is fetched and added to Key Manager Plus' secure repository. You can access the certificate from the SSL >> Certificates tab. From here, you can deploy the certificate to necessary end-point servers such as a Certificate Store or an IIS server directly from Key Manager Plus.

Click here for more details on certificate deployment.

3.2 File / HTTP-based Domain Control Validation

If you have opted for file / HTTP based domain control validation, a challenge file is displayed on creating the order. Navigate to the domain server, create the path specified, and deploy the challenge file in that path.

This entire process of deploying the challenge file in the end-point server can be automated from Key Manager Plus. This can be achieved by configuring the server details in the Deploy tab under Manage. To automate domain control validation,

  1. Navigate to GlobalSign >> Manage.
  2. If the end server is a Windows machine, initially download and install the Key Manager Plus agent for the Windows server from the Windows Agents tab.
  3. Switch to the Deploy tab and click Add.
  4. In the pop-up that opens, choose the challenge type as 'http-01' , specify the domain name, choose the server type (Windows or Linux), and enter the server details. Click Save. The challenge file is automatically deployed to the corresponding end server in the specified path.
  5. Once you have deployed the challenge file, navigate to the Key Manager Plus server, switch to the GlobalSign tab, choose the order, and click Check Order Status from the top menu.

On successful domain validation, the certificate authority issues the certificate which is fetched, and added to Key Manager Plus' certificate repository (SSL >> Certificates).

3.3 DNS-based Domain Control Validation

If you have opted for DNS-based domain control validation, a DNS challenge value and text record are displayed on creating the order. Copy and paste the text records manually into the domain server. Similar to the HTTP challenge, the entire challenge verification process can be automated from Key Manager Plus. This can be achieved by configuring the server details in the Deploy tab under Manage. To automate domain control validation,

  1. Navigate to GlobalSign >> Manage.
  2. If the end server is a Windows machine, initially download and install the Key Manager Plus agent for the Windows server from the Windows Agents tab.
  3. Switch to the Deploy tab and click Add.
  4. In the pop-up that opens, choose the challenge type as 'dns-01', specify the domain name, choose the DNS provider (Azure, Cloudflare, Amazon Route 53 DNS, RFC2136 Update, GoDaddy, or ClouDNS) and enter the server details.
  5. Check the Deploy Certificate option to deploy the certificate to the end server after procurement. Click Save.
  6. The DNS challenge values and text records are automatically created in the corresponding DNS servers.
  7. Once the challenges have been fulfilled, navigate to the Key Manager Plus server, switch to the GlobalSign tab, choose the order, and click Check Order Status from the top menu.

On successful domain validation, the certificate authority issues the certificate which is fetched and automatically added to Key Manager Plus' certificate repository. You can access the certificate from the SSL >> Certificates tab.

From here, you can deploy the certificate to the necessary end-point servers such as a Certificate Store or an IIS server directly from Key Manager Plus. Click here for more details on certificate deployment.

Notes:

  1. For DNS-based domain control validation, if you had chosen a DNS account configured under Manage >> DNS when placing the order, Key Manager Plus automates challenge verification using that account. Instead, if you have already configured the domain and server details under Manage >> Deploy, the challenge verification, and subsequently, the deployment of certificates is carried out for that specific domain and server alone.
  2. For RFC2136 DNS update, if you have opted for Global DNS configuration, the domain name itself acts as the zone name (Global DNS configuration is possible only if you are using the same Key Secret for all zones). Whereas, if you have opted for domain-agent mapping, you have to provide the Zone name, Key Name, and Key Secret for each domain separately.


4. Renew, Reissue, Verify and Delete Certificate

You can renew, reissue, verify, and delete certificate orders placed to third-party certificate authorities from Key Manager Plus.

4.1 Manual Certificate Renewal

To renew the desired certificates manually, perform the steps that follow:

  1. Navigate to Integrations >> GlobalSign.
  2. Select the required order and click Renew Certificate from the top menu.
  3. Complete the domain control validation (DCV) procedure if necessary.
  4. On successful validation, the certificate is issued and the new version is automatically updated in the SSL >> Certificates tab.

Certificate renewal is allowed only 90 days before the expiry date of the selected certificate.

4.2 Automated Certificate Renewal

To configure the auto-renewal process for the desired certificates, perform the steps that follow:

  1. Navigate to Integrations >> GlobalSign and click Manage from the top right pane.
  2. From the page that appears, navigate to the Auto-Renewal section and enable the auto-renewal process.
  3. Enter the number of days before expiry in which the auto-renewal process is to be carried out.
  4. Select the desired certificates that are to be auto-renewed.
  5. Select the Algorithm Length, KeyStore Type, Signature Algorithm, and Validity for the newly renewed certificate and click Save.

Based on the configured details, the auto-renewal process will be carried out. Click the Auto-Renewal Audit to get insights about the certificates renewed through the auto-renewal process.

4.3 Reissue Certificate

To reissue the required certificates, follow the steps that follow:

  1. Navigate to Integrations >> GlobalSign
  2. Select the required order and click Reissue Certificate from the top menu.
  3. The certificate is reissued and automatically updated in the SSL >> Certificates tab.

4.4 Certificate Request Verification

To verify a certificate request, do the steps that follow:

  1. Navigate to Integrations >> GlobalSign
  2. Select a certificate order that is pending in Key Manager Plus and click Verify from the top menu
  3. If the selected certificate is a Domain Validation certificate, then Key Manager Plus will perform Domain Verification and URL Verification with GlobalSign and issue the certificate once the verification is complete. The issued certificate will be added to the SSL certificate repository in Key Manager Plus.
  4. If the selected certificate is not a Domain Validation certificate, then Key Manager Plus will fetch the status of the certificate alone from GlobalSign.

4.5 Delete Certificate Orders

To delete the certificates, follow the steps that follow:

  1. Navigate to Integrations >> GlobalSign
  2. Select the required certificate and click Delete from the More top menu.
  3. The certificate request is deleted from Key Manager Plus.

Note: When a certificate request is deleted, it is removed only from Key Manager Plus. You can find the order being open on the GlobalSign website for your account and you can import it into Key Manager Plus if needed using GlobalSign >> More >> Import Existing Orders.

Top