Integration with Sectigo Certificate Manager
Key Manager Plus integrates with Sectigo Certificate Manager (SCM), a PKI management platform that specializes in managing SSL/TLS certificates, SSH keys, and various other digital identities. The integration leverages SCM's API and allows Key Manager Plus to act as a centralized platform where you can import and manage SSL/TLS certificates from the SCM. Automate the lifecycle management of these certificates through diverse operations that are supported by the integration.
In this document, you will learn the steps to manage the lifecycle of SSL/TLS certificates issued by the SCM, which includes importing existing orders, creating new certificate requests, deployment, and renewal of certificates.
Pre-requisite:
Add the following base URL and port as an exception in your firewall/proxy to permit Key Manager Plus to connect to the SCM.
URL: https://cert-manager.com/api
Port: 443
- Set up Sectigo Certificate Manager details in Key Manager Plus
- Import existing orders
- Create a new certificate order
- Certificate issue
- Renew, reissue, revoke, and delete certificates
1. Set up Sectigo Certificate Manager Details in Key Manager Plus
To begin managing SSL certificates issued by Sectigo from Key Manager Plus, you must add your SCM account in Key Manager Plus and link your unique Customer URI.
If you do not have an SCM account, contact the Sectigo team to sign up and get your login credentials and the Customer URI.
If you have an SCM account, follow the below steps to link your account with Key Manager Plus and begin the integration process.
- Log into the Key Manager Plus web interface, navigate to Integrations >> Public CA Integrations >> Sectigo and click Manage.
- Under Account, enter your SCM User Name, Password, your unique Customer URI and click Save. This is a one-time operation. You can find your Customer URI suffixed in the SCM login URL as shown below:
- The SCM account details are saved and it is now successfully linked to your Key Manager Plus account.
Important Notes:
- For this integration to work as expected, the SCM account you are using must have the MRAO Admin user role in the Sectigo portal.
- The user profile under the SCM account you are using must contain pre-validated domains and organizations. To send certificate requests, Key Manager Plus fetches the existing domains, organizations, and certificate profiles from the SCM. Since the SCM issues certificates based on certificate profiles and pre-validated domains, this step is vital to ensure success of the integration.
- Once the integration is complete, all the organizations, domains, and certificate profiles listed in your SCM account will be imported into Key Manager Plus and displayed under individual tabs, along with their ID and status. This information is updated once a week through an automated schedule. To manually sync your account, click the Sync option available under each tab.
2. Import Existing Orders
If you have an active SCM account, you likely have existing certificate orders that can be managed using the Sectigo Certificate Manager. Apart from creating new certificate orders, you can also import all the existing orders from the SCM portal and manage them from the Key Manager Plus interface.
- Navigate to the Integrations >> Public CA Integrations >> Sectigo tab in Key Manager Plus.
- Click More >> Import Existing Orders from the top menu.
- Select the required option and click Import.
- All the existing certificate orders associated with your SCM account are imported into Key Manager Plus.
3. Create a New Certificate Order
Once you have successfully linked your SCM account with Key Manager Plus, you can start creating new certificate orders directly from Key Manager Plus.
To place a new certificate order:
- Navigate to the Integrations >> Public CA Integrations >> Sectigo tab and click Order Certificate.
- In the window that opens, enter the following attributes: Common Name, SAN, Organization, Certificate Profile, Term, Key Algorithm, Key Size, Keystore Type, Keystore Password, Comments, and External Requester Emails.
- Ensure that you have selected the appropriate Certificate Profile. Also, ensure that the comment does not exceed 1024 characters.
- Verify your details and click Create.
Note: If you find any mismatch in the SCM-related details that are displayed here, please verify the details in the Sectigo portal and then perform a manual sync under Sectigo >> Manage in the Key Manager Plus interface to refresh the details.
4. Certificate Issue
- Once a certificate order is successfully created, you can view it under the Integrations >> Public CA Integrations >> Sectigo tab with its status displayed to the right.
- To track the certificate availability for an order, select the order and click Check Order Status from the top menu.
- Once a certificate is issued, it is fetched and added to the Key Manager Plus certificate repository. You will be able to view it under SSL >> Certificates.
- Typically, the status of your certificate orders is checked automatically every day through a schedule. This way, whenever a certificate is available, it is fetched and added to Key Manager Plus certificate repository.
Note: Please note that the certificates that are issued are automatically added to Key Manager Plus only if you have the required license count. If not, you must renew your Key Manager Plus license before attempting to import any certificates.
5. Renew, Reissue, Revoke, and Delete Certificates
You can renew, revoke, delete or request reissue for certificates or cancel certificate orders from Key Manager Plus.
5.1 Manual Certificate Renewal
To renew the desired certificates manually, perform the steps that follow:
- Navigate to the Integrations >> Public CA Integrations >> Sectigo window.
- Select the required certificate and click Renew Certificate from the top menu.
- Upon successful validation, the certificate is issued and will be automatically added to the Key Manager Plus certificate repository.
5.2 Automated Certificate Renewal
To configure the auto-renewal process for the desired certificates, perform the steps that follow:
- Navigate to Integrations >> Public CA Integrations >> Sectigo and click Manage from the top right pane.
- From the page that appears, navigate to the Auto-Renewal section and enable the auto-renewal process.
- Enter the number of days before expiry in which the auto-renewal process is to be carried out.
- Select the desired certificates that are to be auto-renewed and click Save.
Based on the configured details, the auto-renewal process will be carried out. Click the Auto-Renewal Audit to get insights about the certificates renewed through the auto-renewal process.
5.3 Reissue Certificates
To reissue the required certificates, do the steps that follow:
- Navigate to Integrations >> Public CA Integrations >> Sectigo.
- Select the required certificate and click Reissue Certificate from the top menu.
- Upon successful validation, the certificate is issued and will be automatically added to the Key Manager Plus certificate repository.
5.4 Revoke Certificates
To revoke the certificates, do the steps that follow:
- Navigate to Integrations >> Public CA Integrations >> Sectigo.
- Select the required certificate and click More >> Revoke Certificate from the top menu.
- The certificate is revoked. Go to the SSL >> Certificates tab and delete the certificate to remove it from the Key Manager Plus repository.
5.5 Delete Certificate Orders
To delete the certificate orders, do the steps that follow:
- Navigate to Integrations >> Public CA Integrations >> Sectigo.
- Select the required order and click More >> Delete from the top menu.
- The certificate request is deleted from Key Manager Plus.
Note: Please note that using the Delete option only removes the certificate from the Key Manager Plus interface, and you can no longer manage it from the product. However, it does not delete the certificate request from the SCM–the certificate can still be viewed and managed from the SCM portal.