Frequently Asked Questions

There is no prerequisite software installation needed to use Key Manager Plus. Click here to learn about compatible environments required for installing and operating Key Manager Plus.

Please use the below links for detailed explanation on Key Manager Plus installation and MS SQL database configuration.

• Setup / Installation -
   https://www.manageengine.com/key-manager/help/index.html
• MS SQL database configuration -
   https://www.manageengine.com/key-manager/help/configure-mssql-db.html

By default, Key Manager Plus uses the following ports for web client and backend database.

• PostgreSQL (backend database) - Port 53306
• Web client - Port 6565

Follow the steps mentioned below to upload server certificate for Key Manager Plus.

• Navigate to Settings → General Settings → Server Certificate
• Browse for and upload the required certificate file.
• You can also choose a certificate already stored in Key Manager Plus' certificate repository and set it as the server certificate.
• Click the Existing Certificate option and choose the required certificate.
• The chosen certificate is set as Key Manager Plus' server certificate. The change will take effect once you restart the application.

For more details regarding server certificate deployment, click here.

The below link contains detailed explanation on how to apply upgrade pack for Key Manager Plus.

We maintain release notes, which records all the new feature enhancements and bug fixes made in every Key Manager Plus release.

Yes, you can. Navigate to the Discovery tab and select the discovery type IP Address Range. Provide the starting and ending IP addresses and click Discover. All the accessible resources within the range will be discovered and listed.

Navigate to the Discovery tab and select the discovery type From file. Upload a text file containing a list of host names / IP addresses (along with the port) listed one below another in the format shown below.

0.0.0.0 443,6565
test-username-10 6565,7272,443
192.168.20.20 7272

No. Currently we don't have provisions to specify port range during resource discovery. This might be available in one of our future releases.

However, you can specify multiple ports during a resource discovery by separating them with commas in the Port field.

For instance:

6565,7272,443

To successfully discover, import and manage certificates from your Certificate Store and those issued by your Microsoft Certificate Authority (MS CA), make sure that you use your domain administrator account as Key Manager Plus' service logon account. In case you use a domain service account to run Key Manager Plus, make sure you've configured it in the local admin group beforehand. Restart Key Manager Plus after the configurations are made for the changes to take effect then perform MS CA discovery.

For step-by-step explanation on Certificate Store and MS CA discovery, click here. If the issue persists, write to keymanagerplus-support@manageengine.com

No, Key Manager Plus adopts the same approach for managing SSH user accounts and SSH service accounts. The only difference is that during resource discovery, if service / root account credentials are provided to establish connection with the resource, you acquire extended privileges to import and manage keys from all user accounts in the resource. 

Whereas, when connection to the resource is established using user account credentials, you get key management privileges only for SSH keys present in that particular account. 

Yes. We have a dashboard that displays the number of keys that were not rotated for the predefined time period as specified in the notification policy. You can drill down from here to obtain further information about these keys by clicking on the widget. 

No. Key Manager Plus supports all X.509 certificate types.

Yes. You can create scheduled tasks to perform automatic certificate discovery through which you can import and replace old certificates from target systems with their updated versions in Key Manager Plus' certificate repository. Click here for detailed explanation on schedule creation.

No, it doesn't. The AD User Certificate and MS Certificate Store tabs appear only in the Windows version of Key Manager Plus.

Key Manager Plus differentiates certificates by their common names and records certificates with same common names as a single entry in its certificate repository. We've designed it this way because Key Manager Plus licencing is based on the number of certificates and we don't want customers spending many licence keys for the same certificate. 

However, if there's a need to manage both certificates separately, you can do so by listing it as a separate entry in Key Manager Plus' certificate repository. Once listed, the newly added certificate will be counted for licensing.

To add certificate with the same common name as a separate entry in certificate repository,

• Navigate to SSL → Certificates and click Certificate History icon on the right side of the table view.
• Click Certificate Settings icon beside the required version of the certificate and click Manage Certificate.
• The selected version is listed as a separate certificate in the certificate repository.
• In case you want to manage only one version of the certificate, click Certificate Settings icon beside the required version and choose Set as current certificate option. The chosen version is set for management.

Follow the steps below to import a certificate's private key into Key Manager Plus.

• Navigate to SSL → Certificates tab.
• Select the certificate for which you need to import the private key.
• Choose Import Key option from the More top menu.
• Browse for the file that contains the private key, enter the keystore password and click Import. The private key is imported and attached to the selected certificate.

Key Manager Plus facilitates certificate deployment through which you can deploy certificates from its repository to target server's Microsoft Certificate Store.  

Click here for step-by-step explanation on certificate deployment. 

To map the certificate to its corresponding application, you've to manually restart the server on which the application is running for the change to take effect. 

No. Key Manager Plus currently doesn't support subnet based SSL certificate discovery. However, this might be available in one of our future releases. 

No. Currently, Key Manager Plus doesn't support automatic scheduling for certificate discovery from MS Certificate Store. This might be available in one of our future releases.

For MS CA auto renewal to occur, you have to first ensure that the specific setting is enabled in Key Manager Plus. Navigate to Settings → SSL → Microsoft CA Auto Renewal. Enable the auto renewal task, specify the recurring time and hit Save.

Once auto renewal is enabled, certificates in Key Manager Plus which are issued by Microsoft CA and expired / due expiration in 10 days or less are automatically renewed.

For receiving email notifications, please make sure that you've configured your mail server details. If not, follow the steps below to configure mail server settings.

• Navigate to Settings → General Settings → Mail Server in Key Manager Plus' interface.
• Enter the server name and specify the port used for communication. Enter the username and password for authentication.
• Enter the "from" and "to" email addresses.
• Click Test Mail to send a test mail to the specified email address and verify the settings.
• Click Save. You will get a confirmation message about the updated mail server settings.

Email notifications are generated ONLY for certificates listed in Key Manager Plus' certificate repository and NOT for different versions of a certificate displayed in "Certificate History" section. 

Refer to the below help document for detailed explanation on HTTP-01 based automated domain validation.

Yes. Key Manager Plus (from version 5610) supports automated domain validation through DNS-01 challenge verification (for Azure and Cloudflare DNS), for Let's Encrypt certificate renewals. 

Refer the help section below for detailed explanation on DNS-01 based challenge verification.

Yes. Key Manager Plus provides REST API for all the major functionalities.

Access the link below for detailed REST API documentation.

Key Manager Plus houses a key vault called "Key Store" which facilitates the storage and management of any type of digital key. However, the option to discover and import is limited to SSH keys and SSL certificates only and isn't available for other types of digital keys.

Yes. All types of SSL certificates, SSH keys and any other digital key being managed using Key Manager Plus is taken into account for licensing. There's a dashboard widget "License Details" that provides insights on the type and number of digital identities being managed using Key Manager Plus that will be taken into account for licensing. 

Key Manager Plus provides a CMDB synchronization feature with ManageEngine ServiceDesk Plus, wherein admins can actually export certificate details from Key Manager Plus' certificate repository to ServiceDesk Plus' CMDB and thereby can keep tabs on usage, expiration, and other aspects of SSL certificate management.

For detailed explanation on integration with SDP's CMDB, click here.

"Error: PMP encryption key file is not available in E:\Manage Engine Key Manager\IPB Key\pmp_key.key INFO | jvm 1 | 2018/05/18 16:25:34 | Error: Exception while initializing PMP Cryptography. java.lang.Exception: PMP encryption key file is not available in E:\Manage Engine Key Manager\IPB Key\pmp_key.key"

The above issue occurs if there is a location mismatch of "pmp_key.key" file configured in "manage_key.conf" file and the actual path of the "pmp_key.key" file. 

To resolve the issue, follow the steps below and then restart Key Manager Plus.

• Navigate to\Conf folder and look for the file named "pmp_key.key".
• Copy the pmp_key.key file from\Conf folder and paste it in the path: E:\Manage Engine Key Manager\IPB Key"
• Restart Key Manager Plus.

This should resolve the startup issue. If you have more queries, feel free to write to us at keymanagerplus-support@manageengine.com

(NOTE: If you wish to change the location of the key file to a different directory, edit the file named "manage_key.conf" from\Conf folder with wordpad/notepad++, provide the new directory location, and move the pmp_key.key to the location specified in the file. Please make sure that "manage_key.conf" file under conf/ folder contains the correct complete path where the "pmp_key.key" file is available.)

"Failed to start KeyManager service. REASON: Access is denied."

The occurence of the above error might be because of permission issue. Follow the steps mentioned below and check whether the issue is being resolved. If not, contact us at keymanagerplus-support@manageengine.com.

• Right click on Key Manager Plus tray icon () and click Exit.
• Then navigate to <KMP Installation Folder> and look for the file "keymanager.exe".
• Right click on the .exe file and choose Run as administrator option. Doing this will resolve any permission issue and you'll be able to access Key Manager Plus using the tray icon.