Integration with DigiCert SSL
Key Manager Plus facilitates integration with DigiCert signing authority, making it possible for enterprises to automate the end-to-end management of web server certificates signed and issued by DigiCert from a centralized platform. This document discusses the steps to manage the life cycle operations of SSL/TLS certificates issued by DigiCert directly from Key Manager Plus' web interface—right from importing existing orders, certificate request and provisioning, to deployment, renewal and thereupon.
Before you proceed with the integration, complete the following step as a prerequisite:
Prerequisite
Add the following base URL and port as an exception in your firewall or proxy to ensure Key Manager Plus is able to connect to DigiCert's CA Services.
URL: https://www.digicert.com/services/v2/
Port: 443
Follow the step-by-step procedure below to integrate DigiCert with Key Manager Plus:
1. Configure CertCentral API Key Details in Key Manager Plus
The first step to request and manage DigiCert certificates is to link both your Key Manager Plus and CertCentral accounts by configuring your CertCentral API key details in Key Manager Plus.
Case 1: You do not have a DigiCert account
If you do not have a DigiCert account already, follow the steps below to sign up for a new account and generate your CertCentral API key.
- Go to https://www.digicert.com/account/signup/ and sign up for a new account by filling in the details requested.
- Once you have successfully created your account, navigate to https://www.digicert.com/secure/, and use your DigiCert credentials to log into the CertCentral portal.
- Once inside CertCentral, the next step is to generate an API key and supply the credentials in Key Manager Plus. To generate your CertCentral API key,
- Click Automation on the left pane of the CertCentral portal and click Add API Key.
- In the window that opens, give a name / description for the API key, assign a user. The user assigned should have admin privileges in digicert.
- Click Add.
- A new API key is generated and displayed in a different window. Copy the key and store it in a secure location, for it will not be displayed again.
- Click here for a more detailed explanation on CertCentral account creation and API key generation process.
- Once you have generated the API key, switch to Key Manager Plus interface, navigate to Integrations >> Public CA Integrations >> DigiCert.
- Click Add. Provide the API key Name, Key and click Save. This is a one-time operation.
- The key is saved. Your CertCentral account is now successfully linked with your Key Manager Plus account.
Case 2: You have a DigiCert account
If you have an account with DigiCert CertCentral already, all you have to do is generate your API key from the CertCentral portal and provide it in Key Manager Plus.
- Login to your CertCentral account, and generate the API key using the steps mentioned above.
- Once you have generated the API key, switch to Key Manager Plus interface, navigate to Integrations >> DigiCert.
- Click Add. Provide the API key Name, Key and click Save. This is a one-time operation.
- The key is saved. Your CertCentral account is now successfully linked with your Key Manager Plus account.
To delete an API key, select the key(s) you wish to delete and click Delete from the top pane. In the pop-up that appears, click OK.
2. Pre-validate Organizations and Domains in CertCentral
(To be performed in CertCentral portal)
Before placing orders for DigiCert certificates from Key Manager Plus, it is necessary that you have your domains / organizations pre-validated from the CertCentral portal. Once the pre-validation process is complete, future certificate issuance and renewals for those domains / organizations become pretty straight forward. Refer the CertCentral user guide for a more detailed explanation on the pre-validation process.
3. Import Existing Orders
The next step is to import all certificate orders from your CertCentral portal into Key Manager Plus. To import existing orders,
- Navigate to Integrations >> DigiCert window in Key Manager Plus.
- Click Import Existing Orders from the More top menu.
- When importing the existing orders, you can choose to exclude the expired or revoked certificates from being added to Key Manager Plus certificate repository.(This option is basically provided to help you save license count by excluding the addition of unnecessary certificates into Key Manager Plus. However, irrespective of the option chosen, all the order details are imported into Key Manager Plus.)
- Select the required option and click Import.
- All the existing certificate orders associated with your CertCentral account are imported into Key Manager Plus.
4. Create New Certificate Orders
Once you have successfully linked both your CertCentral and Key Manager Plus accounts by providing the API key details, you can place orders for DigiCert SSL/TLS certificates directly from Key Manager Plus.
To place a new certificate order,
- Navigate to Integrations >> DigiCert window in Key Manager Plus, and click Order Certificate.
- In the window that opens, choose the product name, validity, signature algorithm, algorithm length, keystore type, server platform, payment method, and organization.
- Provide the common name. You can additionally specify the validity in number of days, or provide a custom expiration date.
- After filling in the details, click Create.
Notes:
- Key Manager Plus allows you to import both client certificates and server certificates from the DigiCert repository.
- Product name, payment, and organization fields are fetched and displayed according to the permissions provided in CertCentral portal.
- For certificate validity, inputs given for 'Custom Expiry Date' overrides 'Validity Days' which in turn overrides the input given for 'Validity'.
- The payment for orders placed from Key Manager Plus is handled by the CertCentral portal. Should you face any issues/discrepancies with payment, please contact the CertCentral customer support team.
5. Certificate Issue
- Once a certificate order is successfully created, you can view it under Integrations >> DigiCert window with its status displayed to the right view.
- You can track the certificate availability for an order by selecting the order and clicking on Check Order Status from the top menu.
- If the certificate is issued, it is fetched and added to Key Manager Plus certificate repository.
- Also, the order status is checked automatically everyday on a scheduled basis. If the certificate is available, it is fetched and added to Key Manager Plus certificate repository.
- Additionally, you can track the validation status for domains / organizations from Key Manager Plus. Choose an order and click Check Validation Status from the top menu.
- To filter your order view according to the order status, click the Show drop-down from the top menu and select from the options Expired, Revoked, or Rejected to customize your repository display. For other statuses such as Issued or Pending, select the Other option.
Note: Certificates issued are automatically added to Key Manager Plus repository, only if you have the required license count. If not, you need to renew your Key Manager Plus license before attempting to import the certificate.
6. Renew, Reissue, Revoke, Delete and Cancel Certificates
You can renew, reissue, revoke, delete or request reissue for certificates or cancel certificate orders from Key Manager Plus.
6.1 Manual Certificate Renewal
To renew the desired certificates manually, perform the steps that follow:
- Navigate to Integrations >> DigiCert.
- Select the required certificate and click Renew Certificate from the top menu.
- Ensure that you have the domain(s) / organization pre-validated from CertCentral portal before requesting for a renewal.
- On successful validation, certificate is issued and is automatically added to Key Manager Plus certificate repository.
6.2 Automated Certificated Renewal
To configure the auto-renewal process for the desired certificates, perform the steps that follow:
- Navigate to Integrations >> DigiCert and click Manage from the top right pane.
- From the page that appears, navigate to the Auto-Renewal section and enable the Auto-Renew toggle button.
- Enter the number of days before expiry in which the auto-renewal process is to be carried out.
- Select the desired certificates that are to be auto-renewed.
- Select the Algorithm Length, KeyStore Type, Server Platform and Payment Method, and enter an E-mail ID for the newly renewed certificate and click Save.
Based on the configured details, the auto-renewal process will be carried out. Click the Auto-Renewal Audit to get insights about the certificates renewed through the auto-renewal process.
6.3 Reissue Certificate
To reissue the required certificates, do the steps that follow:
- Navigate to Integrations >> DigiCert.
- Select the required certificate and click Reissue Certificate from the top menu.
- Here again, ensure that you have the domain(s) / organization pre-validated from CertCentral portal before requesting for a certificate reissue.
- On successful validation, the certificate is reissued and is automatically added to Key Manager Plus certificate repository.
6.4 Revoke Certificate
To revoke the certificates, do the steps that follow:
- Navigate to Integrations >> DigiCert.
- Select the required certificate and click Revoke Certificate from the More top menu.
- The certificate is revoked. Switch to SSL >> Certificates tab and delete the certificate to remove it from Key Manager Plus' repository.
6.5 Delete Certificate
To delete the certificates, do the steps that follow:
- Navigate to Integrations >> DigiCert.
- Select the required order and click Delete from the More top menu.
- The certificate request is deleted from Key Manager Plus.
6.6 Cancel Certificate Order
To cancel a certificate order, do the steps that follow:
- Navigate to Integrations >> DigiCert.
- Select the required order and click Cancel Order from the More top menu.
- The certificate order is canceled.