Integrating The SSL Store Certificate Authority with PAM360

PAM360 facilitates end-to-end life cycle management of certificates obtained from trusted certificate authorities (CAs) by enabling users to acquire, consolidate, deploy, renew, and track certificates issued by commercial CAs from a single interface. With PAM360's seamless API-based integration with The SSL Store—one of the largest platinum partners of world's leading CAs—you will have the option to acquire and manage certificates from the following third-party CAs directly using PAM360: Symantec, Thawte, RapidSSL, GeoTrust, and DigiCert.

Follow the steps below to place certificate orders, acquire, consolidate, deploy and manage trusted third-party CA certificates from PAM360.

1. Configuring API Authentication Credentials in PAM360
2. Placing Certificate Orders
3. Configuring the DNS Account
4. Domain Control Validation and Certificate Deployment
5. Managing Certificates Issued by The SSL Store CA

1. Configuring API Authentication Credentials in PAM360

The first step to request and manage third-party CA certificates from PAM360 is to sign up for an exclusive enterprise account at The SSL Store portal and configure the API credentials generated subsequently in PAM360's interface. To set up an Enterprise account with The SSL Store,

1. Navigate to this enterprise sign up link on The SSL Store website. Proceed through the sign up link for PAM360.
2. Fill in your personal details and organization details as requested, and click Continue.
3. You will then be taken to the Setup Payment section where you need to configure a payment method and provide the payment details and billing information.
4. After providing the details, click Continue.
5. You will be redirected to the Confirmation/Token section where the API credentials (Partner ID and Token) are displayed. Copy and save the credentials in a secure location.
6. Now, switch to the PAM360 server and navigate to Certificates >>The SSL Store tab. Click Manage in the top-right corner of the window.
7. Under the Accounts tab, provide the generated partner code and token, and click Save.
8. The details are stored in PAM360. Configuring API authentication credentials is a one-time process. You do not need to provide the details every time you place a certificate order.

2. Placing the Certificate Orders

Once you have configured your API authentication credentials, you can leverage The SSL Store's API to generate certificate signing requests (CSRs), place orders, procure, and manage certificates from any of the following certificate authorities directly from PAM360: Symantec, Thawte, RapidSSL, GeoTrust, and DigiCert.

To generate a CSR and place a certificate order,

1. Navigate to the Certificates >> The SSL Store tab and click Order Certificate.
2. In the window that opens, choose the vendor, validation type, product name, domain validation type and validity.
3. PAM360 supports all the three domain control validation methods: DNS-based, file-based and email validation.
4. Then, provide the common name, algorithm length, keystore type, keystore password, number of servers in which the certificate will be deployed, server type and the approver's email IDs. Users also have the option to import and use an already existing CSR or private key.
5. The approver email ID is the email ID to which Domain Control Validation (DCV) verification mail will be sent. The approver email ID should take either of the following formats:
   • <admin@domain>, <administrator@domain>, <hostmaster@domain>, <webmaster@domain> or <postmaster@domain>
   • Any administrator, registrant, tech or zone contact email address that appears on the domain’s WHOIS record and is visible to the CA system.
6. Then, provide the organization details (applicable for organization validation and extended validation order types only), administrator contact details and contact details of the technician placing the certificate order.
7. After filling in the details, click Create.
8. You will be taken to a window where you can see the list of certificate orders placed along with their statuses displayed to the right of the table view.

   Additional Detail

   PAM360 allows you to import the already existing certificate orders placed within your account from The SSL Store and track their statuses. Click Import Existing Orders from the More top menu to import the existing open orders into PAM360. Also, you can preconfigure your organization details under Manage to refrain from providing it every time you place an OV / EV certificate order.

   

3. Configuring the DNS Account

If you are opting for DNS-based domain validation in the certificate order, you should configure the DNS account in PAM360 and specify it in the DNS field in the order to automate the challenge verification procedure. To configure your DNS account,

1. Navigate to Certificates>> The SSL Store>>Manage.
2. Switch to the DNS tab. Click Add and in the pop-up that opens, choose the DNS provider.
3. Here, you can add a maximum of one DNS account for each supported DNS provider. PAM360 currently supports automatic domain control validation for Azure, Cloudflare DNS, Amazon route 53 DNS, RFC2136 DNS update (nsupdate), GoDaddy DNS, ClouDNS.

3.1 Azure DNS

1. Provide the Subscription ID, which is available in the Overview page of the Azure DNS zone.
2. Provide the Directory ID, which is available in Azure Active Directory >> Properties.
3. If you have an already existing Azure application, provide its Application ID and Key.
4. If not, follow the steps mentioned below to create the Azure application and key, and give the application access to the DNS zones for making API calls.

Follow the below steps to create the Azure application and key from the Azure console:

1. Navigate to App registrations >> New application registration.
2. Provide the application name, select the application type Web app / API and provide the sign-on URL. Click Create.
3. After successful creation, you are directed to a window that displays the Application ID.
4. To get the application key, navigate to Keys and create a key.
5. Provide the key description, duration and click Save.
6. Once the key is saved, key value is displayed. Copy and save the key value for future references.

To give the application access to DNS zones:

1. Navigate to the resource group where all DNS zones are created or switch to a specific DNS zone.
2. Switch to Access Control (IAM) and click Add.
3. Choose the role as Contributor, assign access to Azure AD user, group or application, search and select the application created in Azure Directory and click Save.
4. The created Azure application is now given access to DNS zones for making API calls.
5. Now, enter the Resource Group Name, which is the group name in which you have created the DNS zone and click Save.
6. Your DNS account details are saved and listed under Manage >> DNS.
   

3.2 Cloudflare DNS

1. In the Email address field, specify the email address associated with the Cloudflare account.
2. For Global API Key, use the 'Generate API' key option in the domain overview page of the Cloudflare DNS to generate the key and paste the value in this field.
3. Click Save. Your DNS account details will be saved and listed under Manage >> DNS.

   Additional Detail

   For DNS based domain validation type, if you are going to specify an already configured DNS account in the certificate order for domain control validation, make sure its status is marked as Enabled under Manage >> DNS.

   

3.3 AWS Route 53 DNS

1. Generate and specify the Access Key ID and Secret associated with your AWS account.
   
2. If you do not have an AWS account, create one and generate the Access Key ID and Secret by following the steps given below:
   1. Log in to the AWS console and navigate to IAM Services >> Users.
   2. Click Add user.
   3. Provide the user name and select the access type as Programmatic access.
   4. Switch to the next tab, click Attach existing policies directly under Set Permissions and search for AmazonRoute53FullAccess.
   5. Assign the policy that is listed and switch to the next tab.
   6. In the tags section, add appropriate tags (optional) and switch to the next tab.
   7. Review all the information entered and click Create user.
   8. The user account is created and subsequently, an access key ID and a secret is generated. Copy and save the key ID and secret in a secure location for it will not be displayed again.
3. If you already have an AWS user account, you have to grant AmazonRoute53FullAccess permission to the user and generate the access key if the user does not have one. And if the user account has an access key associated already, it is just enough to ensure the required permission is granted.

To grant the required permissions,

1. Navigate to the Permissions tab, select the required user account and click Add Permission.
2. Click Attach existing policies directly under Set Permissions and search for AmazonRoute53FullAccess.
3. Assign the listed policy and hit Save.
4. To generate the access key,
5. Select the particular user account and navigate to the Security Credentials tab.
6. In the window that opens, click Create access key.
7. An access key ID and a secret is generated. Copy and save the key ID and secret in a secure location for it will not be displayed again.

3.4 RFC2136 DNS Update

If you are using open source DNS servers such as Bind, PowerDNS etc., that support RFC2136 DNS update, follow the steps below to automate DNS-based domain control validation procedure using PAM360. 

1. The DNS Server IP / Hostname represents the server name / IP address in which the DNS server is installed or running. 
2. The server details are found in the server installation directory. For instance, in the case of Bind9 DNS server, you can find these in the file named.local.conf in the server installation directory.
3. Provide the Key Secret, which is the key content found in the server installation directory. 
4. Provide a name for the key, choose the signature algorithm and click Save.
   

3.5 GoDaddy DNS

If you are using GoDaddy DNS for DNS validation, follow the steps below to automate DNS-based domain control validation procedure using PAM360.

To obtain GoDaddy API credentials, follow these steps:

1. Go to the GoDaddy developer portal and switch to the API keys tab.
2. Log in to your GoDaddy account if you aren't logged in already.
3. Once you log in, you will be redirected to the API keys page where you can create and manage API keys. Click Create New API key.
4. Provide your application name, choose the environment type as Production and click Next.
5. The API key and its secret is generated. Copy and save the secret in a secure location, as it will not be displayed again.

Now, in the PAM360 interface, follow the below steps to add GoDaddy DNS to The SSL Store certificate repository:

1. Navigate to Certificates >> The SSL Store and click Manage at the top-right corner of the page.
2. Switch to the DNS tab and click Add.
3. Choose GoDaddy from the DNS Provider drop-down menu.
4. Enter the Key and Secret that was previously generated from the GoDaddy portal. Click Save.
   

3.6 ClouDNS

If you are using ClouDNS for DNS validation, follow the steps below to automate the DNS-based domain control validation procedure using PAM360:

To obtain ClouDNS API credentials, follow these steps:

1. Log in to your ClouDNS account and go to Reseller API.
2. If you have already created an API user id, you will find it under API Users. If not, click Create API to generate a new one.

Click here to learn more about ClouDNS API Auth IDs.

Now, in the PAM360 interface, follow the below steps to add ClouDNS to SSL Store CA:

1. Navigate to Certificates >> SSL Store and click Manage at the top-right corner of the page.
2. Switch to the DNS tab and click Add.
3. Choose ClouDNS from the DNS Provider dropdown.
4. Choose one of the following options: Auth ID, Sub Auth ID, Sub Auth User.
5. Enter the chosen ClouDNS Auth ID, its respective Auth Password, and click Save.
   

3.7 DNS Made Easy

1. Enter the name of your choice in the Name field.
2. The Key and the Secret will be available on the DNS Made Easy webpage under Config >> Account Information. Enter those details in the respective fields.
3. Now, click Save to save your DNS account details. The saved DNS details will be listed under Manage >> DNS.
   

4. Domain Control Validation and Certificate Deployment

Once the certificate authority receives your order, you will have to go through a process called Domain Control Validation (DCV) and prove your ownership over the domain upon the completion of which you will receive the certificate. PAM360 supports all the three DCV methods:

1. Email-based DCV
2. File or HTTP-based DCV
3. DNS-based DCV

4.1 Email-Based Domain Control Validation

1. In email based domain control validation, the certificate authority sends a verification email to the approver email ID specified when placing the certificate order.
2. This email will guide you through the steps that need to be performed in order to complete the domain control validation procedure.
3. After completing the steps, navigate to the PAM360 server, and switch to Certificates >> The SSL Store tab.
4. Select the order and click Check Order Status from the top menu.
5. On successful verification, the certificate authority issues the certificate which is fetched and added to PAM360's secure repository. To access the certificate, navigate to the Certificates tab.
6. From here, deploy the certificate to necessary end-point servers such as a Certificate Store or an IIS server directly from PAM360.

Click here for more details on certificate deployment.

4.2 File/HTTP-Based Domain Control Validation

If you have chosen file or HTTP-based domain control validation, a challenge file is displayed when creating the order. Navigate to the domain server, create the specified path, and deploy the challenge file in that path.

This entire process of deploying the challenge file in the end-point server can be automated using PAM360. To enable automation, configure the server details in the Deploy tab under Manage. To automate domain control validation,

1. Navigate to Certificates >> The SSL Store >> Manage.
2. Switch to the Deploy tab and click Add.
3. In the pop-up that opens, choose the challenge type as 'http-01' , specify the domain name, choose the server type (Windows or Linux) and enter the server details. Click Save.
4. The challenge file is automatically deployed to the corresponding end-server in the specified path.
   
5. Once you have deployed the challenge file, navigate to the PAM360 server, select The SSL Store from the left pane, choose the order and click Check Order Status from the top menu.
6. On successful domain validation, the certificate authority issues the certificate which is fetched, added to the Certificates tab in PAM360 and is also deployed in the specified path of the server configured earlier under Manage >> Deploy.

4.3 DNS-Based Domain Control Validation

If you have opted for DNS based domain control validation, a DNS challenge value and text record are displayed when creating the order. Copy and paste the text records manually in the domain server. Similar to the HTTP challenge, the entire challenge verification process can be automated using PAM360. To enable automation, configure the server details in the Deploy tab located under Manage. To automate domain control validation,

1. Navigate to Certificates >>The SSL Store>>Manage.
2. If the end-server is a Windows machine, initially download and install the PAM360 agent for Windows server from the Windows Agents tab using the steps mentioned in the previous section.
3. Switch to the Deploy tab and click Add.
4. In the pop-up that opens, choose the challenge type as 'dns-01', specify the domain name, choose the DNS provider (Azure, Cloudflare DNS, Amazon route 53 DNS, RFC2136 Update, GoDaddy DNS, or ClouDNS) and enter the server details.
5. Check the Certificate option to deploy the certificate to the end-server after procurement. Click Save.
6. The DNS challenge values and text records are automatically created in the corresponding DNS servers.
   
   
7. Once the challenges have been filled, navigate to the PAM360 server, select Certificates >> The SSL Store from the left pane, choose the order, and click Check Order Status from the top menu.
8. On successful domain validation, the certificate authority issues the certificate which is fetched and automatically added to PAM360's certificate repository. To access the certificate, navigate to the Certificates tab.
9. From here, deploy the certificate to the necessary end-point servers such as a Certificate Store or an IIS server directly from PAM360. Click here for more details on certificate deployment.
10. Also, the certificate is automatically deployed to its corresponding end-server after issue, if you have enabled the Deploy Certificate option at the time of configuring server details under Manage >> Deploy.

Additional Details

1. For DNS-based domain control validation, if you have selected a DNS account configured under Manage >> DNS when placing the order, PAM360 automates the challenge verification using that account. Alternatively, if you have already configured the domain and server details under Manage >> Deploy, the challenge verification, and subsequent certificate deployment are carried out exclusively for that specific domain and server alone.
2. For RFC2136 DNS update, if you have selected the Global DNS configuration, the domain name itself acts as the zone name (Global DNS configuration is possible only if you are using the same Key Secret for all zones). Whereas, if you have selected domain-agent mapping, provide the Zone name, Key Name, and Key Secret for each domain separately.

5. Managing Certificates Issued by The SSL Store CA

PAM360 allows administrators to renew, reissue, and delete certificate orders of The SSL Store certificate authority with ease.

5.1 Renewing a Certificate

To renew The SSL Store certificate order from PAM360,

1. Navigate to the Certificate >> The SSL Store tab.
2. On the page that appears, select the certificate order you want to renew.
3. Click the Renew Certificate from the top menu.
4. In the pop-up that appears, prove your ownership of the domain before every renewal by fulfilling the challenges put forth by The SSL Store CA. The challenges are mailed to the requester's and domain administrator's email IDs.

Upon successful validation, the certificate will be renewed and automatically added to PAM360's certificate repository.

5.2 Re-issuing a Certificate

To request for The SSL Store certificate reissue from PAM360,

1. Navigate to the Certificates >> The SSL Store tab.
2. Select a certificate order from the list for which you want to raise a certificate reissue request.
3. Click the Reissue Certificate button at the top pane.
4. In the pop-up that appears, prove your ownership of the domain before fulfilling the challenges put forth by The SSL Store CA. The challenges are mailed to the requester's and domain administrator's email IDs.

Upon successful validation, the certificate will be reissued and automatically added to PAM360's certificate repository.

5.3 Deleting a Certificate

To delete The SSL Store certificate order from PAM360,

1. Navigate to the Certificates >> The SSL Store tab.
2. On the page that appears, select the certificate order you want to delete.
3. Click the More dropdown at the top pane and select Delete.
4. If prompted, confirm your action to delete the certificate order.

   Additional Detail

   When a certificate request is deleted, it is removed only from PAM360. You can find the order in The SSL Store website for your account and import it into PAM360 if needed using The SSL Store >> More >> Import option.