Integrating PAM360 with DigiCert SSL Certificate Authority
PAM360 integrates with DigiCert certificate signing authority, allowing enterprises to automate the end-to-end management of web server certificates signed and issued by DigiCert, from a centralized platform. This document discusses the steps to manage the lifecycle of SSL certificates issued by DigiCert, directly from PAM360's web interface; these operations include importing existing orders, certificate requests, provisioning, deployment, and renewal of certificates.
Before you proceed with the integration, complete the following step as a prerequisite:
Prerequisite
Add the following base URL and port as an exception in your firewall or proxy to ensure PAM360 is able to connect to DigiCert's CA Services.
URL: https://www.digicert.com/services/v2/
Port: 443
Follow the step-by-step procedure below to integrate DigiCert with PAM360:
- Configuring DigiCert CertCentral API Key Details
- Pre-validating Organizations/Domains in DigiCert CertCentral
- Importing Existing Orders
- Creating a Certificate Order
- Issuing Certificates
- Managing Certificates
1. Configuring DigiCert CertCentral API Key Details
To request and manage DigiCert certificates from PAM360, you need to link your PAM360 account with your DigiCert CertCentral account. To achieve this, you must apply your CertCentral API key details in PAM360.
Case 1: You do not have a DigiCert account
If you do not have a DigiCert account already, follow the steps below to sign up for a new account:
- Go to DigiCert's sign up page and fill in the required details.
- Once the account is created, navigate to DigiCert's login page and log into the CertCentral portal using your DigiCert credentials.
- Once logged in, generate your CertCentral API key by following the below steps.
- Go to Automation on the left pane of the CertCentral portal and click Add API Key.
- In the window that opens, enter a Name and Description for the API key, assign a User. The user assigned should have admin privileges in digicert.
- Click Add.
- A new API key is generated and displayed in a different window. Copy the key and store it in a secure location, for it will not be displayed again.
- Click here for more about CertCentral account creation and API key generation process.
- Once you have generated the API key, login to PAM360 and navigate to Certificates >> DigiCert.
- You will be prompted to enter the API key. Provide the key details and click Save. (Remember, applying the API key in PAM360 is a one-time operation)
Now the key is saved and your CertCentral account is successfully linked to your PAM360 account.
Case 2: You have a DigiCert account
If you have an account with DigiCert CertCentral already, all you have to do is generate your API key from the CertCentral portal and provide it in PAM360.
- Login to your CertCentral account, and generate the API key using the steps mentioned above.
- Once you have generated the API key, switch to PAM360 interface, navigate to Certificates >> DigiCert.
- Click Add. Provide the API key Name, Key and click Save. This is a one-time operation.
- The key is saved. Your CertCentral account is now successfully linked with your PAM360 account.
To delete an API key, select the key(s) you wish to delete and click Delete from the top pane. In the pop-up that appears, click Ok.
2. Pre-validating Organizations/Domains in DigiCert CertCentral
(To be performed in the DigiCert CertCentral portal)
Before placing orders for DigiCert certificates from PAM360, you must have your domains/organizations pre-validated from the DigiCert CertCentral portal. Once the pre-validation process is complete, you can proceed with certificate issuance and renewals for those domains/organizations. Read more about the pre-validation process in the CertCentral user guide.
3. Importing Existing Orders
The next step is to import all certificate orders from your CertCentral portal into the PAM360 repository. Follow the below steps:
- Navigate to Certificates >> DigiCert tab.
- Click Import Existing Orders from the More drop down in the top bar.
- Select the Expired or Revoked option to exclude the expired or revoked certificates from getting added to the PAM360 certificate repository during import. This can save the license count for SSL certificates in your installation without affecting the number of order details fetched into PAM360.
- Once the required option is selected, click Import.
All the existing certificate orders associated with your DigiCert CertCentral account will be imported into the PAM360 repository.
4. Creating a Certificate Order
Once you have successfully linked your CertCentral account to your PAM360 account by providing the API key details, you can place orders for DigiCert SSL/TLS certificates directly from the PAM360 interface.
Follow the below steps to place a new certificate order:
- Navigate to Certificates >> DigiCert and click Order Certificate.
- In the Order Certificate window, choose the Product Name, Validity, Signature Algorithm, Algorithm Length, Keystore Type, Server Platform, Payment Method and Organization.
- Enter the Common Name. You can also specify the Validity in number of days, or enter a Custom Expiration Date.
- After filling in the details, click Create.
- PAM360 allows you to import both client certificates and server certificates from the DigiCert repository.
- Product name, payment, and organization fields are fetched and displayed according to the permissions provided in the CertCentral portal.
- For certificate validity, the value given for Custom Expiry Date overrides the values given for Validity Days and Validity in years. The value given for Validity Days overrides the value given for Validity.
- The payment for orders placed from PAM360 is handled by the CertCentral portal. If you face any issues with the payment, please contact the CertCentral customer support team.
Notes:
5. Issuing Certificates
- Once a certificate order is successfully created, you can view it under Certificates >> DigiCert tab along with the certificate order status.
- To track the certificate availability for an order, select the order and click Check Order Status from the top bar. The order status is checked automatically through a schedule every day. During the scheduled check if the certificate is available, it is fetched and added to the PAM360 certificate repository.
- To track the validation status for domains/organizations from PAM360, choose an order and click More >> Check Validation Status from the top menu.
- To filter your order view according to the order status, click the Show drop-down from the top menu and select from the options Expired, Revoked, or Rejected to customize your repository display. For other statuses such as Issued or Pending, select the Other option.
Note: Certificates issued are automatically added to the PAM360 repository only if you have the required license count. If not, you need to purchase an add-on for more keys and certificates before attempting to import new certificates.
6. Managing Certificates
Follow the below steps to renew, revoke, delete or request reissue for certificates or cancel certificate orders from PAM360.
Navigate to Certificates >> DigiCert.
6.1 Renewing a Certificate
- Select the required certificate and click Renew Certificate from the top bar.
- Ensure that you have the domain(s) / organization pre-validated from CertCentral portal before requesting for a renewal.
- On successful validation, certificate is issued and automatically added to the PAM360 certificate repository.
6.2 Requesting for a Certificate Reissue
- Select the required certificate and click Reissue Certificate from the top bar.
- Ensure that you have the domain(s) / organization pre-validated from CertCentral portal before requesting for a certificate reissue.
- On successful validation, the certificate is reissued and automatically added to the PAM360 certificate repository.
6.3 Revoking a Certificate
- Select the required certificate and click Revoke Certificate from the More drop down in the top bar.
- The certificate is revoked. Switch to Certificates tab and delete the certificate to remove it from the PAM360 repository.
6.4 Deleting a Certificate Request
- Select the required order and click Delete from the More drop down in the top bar.
- The certificate request is deleted from PAM360.
6.5 Canceling a Certificate Order
- Select the required order and click Cancel Order from the More drop down in the top bar.
- The certificate order is canceled.