Manage SSL Certificates66 minutes to read
Create, discover and store SSL certificates in the centralized repository of Password Manager Pro. Raise requests for new certificates and domain additions to the existing certificates. You receive notifications when the certificates are about to expire, to help you with their timely renewal. Use Password Manager Pro to:
(Applicable from build 10404 to 11000) Password Manager Pro performs SSL certificate discovery and SSL certificate deployment by initiating a remote connection to the target machines. To allow Password Manager Pro to do that, complete the below steps:
From build 11000 onwards, the above-mentioned features will work without the remcom.exe file. Steps to Manage SSL Certificates
1. Discovering Certificates in your NetworkYou can automatically discover all the certificates available in your network using Password Manager Pro, irrespective of the CA. You can discover the certificates anytime as needed or periodically based on scheduled tasks. The discovery options are quite flexible - you can discover certificates from a single server or multiple servers, and from multiple ports, at one go. Password Manager Pro also allows users to rediscover the expired and about-to-expire certificates from the 'Certificate Expiry' widget in the Dashboard. 1.1 Discovering SSL Certificates On DemandTo discover the certificates manually:
1.2 Discovering SSL Certificates from SMTP ServersYou can discover SSL certificates used by mail servers present in your network and consolidate them in Password Manager Pro's centralized certificate repository. To perform mail server certificate discovery:
1.3 Discovering SSL Certificates Deployed to Load BalancersPassword Manager Pro allows you to discover SSL certificates deployed to load balancers, within your network, and consolidate them in its secure, centralized repository. As of now, Password Manager Pro supports discovery of certificates from Linux-based load balancers only (i.e., Nginx, F5, etc) and the process is tunnelled via SSH. To perform load balancer certificate discovery:
1.4 Discover SSL Certificates from a Shared Directory PathPassword Manager Pro allows you to discover SSL certificates that are saved in a shared directory path within your network and consolidate them in its secure, centralized repository. Using this option, you can discover all the certificate files saved in a particular folder and then, either add all the certificates to the repository or choose the ones you want to import. During the discovery process, Password Manager Pro will scan only the folder specified in the path and nowhere else in the target machine. Follow the below steps to discover and import SSL certificates from a shared directory path:
To check the status of the discovery, click the Discovery Audit tab. Note: Certificate files that are over 30 KB in size will not be imported during this discovery operation. ![]() ![]() 1.5 Discovering SSL Certificates using the KMP AgentYou can discover SSL certificates deployed across your network using the KMP agent right from the Password Manager Pro web interface. This functionality enables you to download and deploy KMP Windows agent to target systems. It also allows you to discover and import the certificates from those systems into a centralized certificate repository directly from the Password Manager Pro web interface. The server(s) in which the agent is deployed is connected to the Password Manager Pro server via a secure HTTPS connection. Discovering certificates through the KMP agent is helpful in the following scenarios:
To discover the SSL certificates using the KMP agent, you need to download and install the agent first. Follow the steps below: Steps to perform SSL certificate discovery through KMP agent:
The certificates are discovered from the servers in which the agent is installed and imported into Password manager Pro's certificate repository. 1.5.i Discover SSL Certificates from a Directory Path in a Remote MachinePassword Manager Pro allows you to discover SSL certificates that are saved in a directory path in a remote machine that is not directly accessible by the Password Manager Pro server—this is achieved through the KMP agent. Once the certificates are discovered, you can consolidate them into Password Manager Pro's centralized repository. Using this option, you can discover all the certificate files saved in a particular folder and either add all the certificates to the repository or select only the ones you require. During the discovery process, the KMP agent will scan only the folder specified in the path and nowhere else in the target machine. Follow the below steps to discover and import SSL certificates from a directory path in remote machine:
To check the status of discovery, click the Discovery Audit tab. Notes:
1.6 Discovering SSL Certificates Automatically through SchedulesSSL Certificate discovery can also be scheduled to occur at periodic intervals.
You will get a message confirming addition of a new schedule. 1.7 Discovering Certificates Mapped to User Accounts in Active DirectoryPassword Manager Pro helps you discover and manage the certificates mapped to user accounts in Active Directory. To perform AD user certificate discovery,
1.7.i Managing Certificates from MS Certificate Store and Local CAPassword Manager Pro helps you request, acquire, discover, consolidate, track and manage certificates from MS Certificate Store and those issued by Local certificate authority. Before importing / acquiring certificates from MS Certificate Store and Local CA, ensure that you use your domain administrator account as Password Manager Pro' service logon account.
To request and acquire certificates stored in Local CA from Password Manager Pro, you have to initially generate a certificate signing request, then get it signed from the local certificate authority using the steps mentioned below:
You can also get the CSR signed from Microsoft Certificate Authority directly from Password Manager Pro itself.
1.7.ii Rediscover SSL CertificatesFrom build 11300 onwards, Password Manager Pro allows you to rediscover SSL certificates from the same source using the server details entered during the previous discovery operation. Follow the below steps to perform certificate rediscovery:
The rediscovery operation begins immediately. You can track the discovery status in the Discovery Audit page. Please note that for agent-based discovery to work properly, upgrade KMP Agent to build 11300 before commencing the discovery operation. 1.7.iii The Centralized Certificate RepositoryAll the discovered SSL certificates, those that are discovered manually as well as those discovered through scheduled discovery operations are automatically added to the centralized repository of Password Manager Pro. You can view these certificates under the Certificates >> Certificates option in the user interface. a. Search SSL CertificatesPassword Manager Pro allows you to search certificates using Common Name, DNS Name, Issuer, Key Size, Signature Algorithm, Description, additional fields, etc.
1.7.iv Exporting Private Key/Keystore filePassword Manager Pro allows you to identify and export the private keys / keystore files of SSL certificates stored in the certificate repository. You can also export certificates in other formats such as PKCS12/PFX or PEM format. Click the Keystore icon ( To export the private key or the certificate file:
1.7.v Tracking and Managing Various Certificate VersionsSometimes, there occurs a situation where you have to use different certificates on different end-servers for the same domain. Under such circumstances, it is necessary for you to track the usage and expiry of all these certificates individually even though they represent a common domain. Monitoring various such certificate versions manually is daunting and error-prone. Password Manager Pro helps you simultaneously track and manage the usage and expiry of various certificate versions from a single window. To Track Certificate Versions:
1.7.vi Updating Servers with Latest Certificate VersionsIn case of wildcard certificates or single SSL certificate deployed to multiple servers, it is necessary to keep track of servers in which the certificate is deployed and also check if the latest certificate version is in use. Password Manager Pro helps you ensure this.
Also, you can edit details pertaining to a particular certificate or delete irrelevant certificates by selecting the certificate and clicking the More dropdown. 1.8 Discovering SSL Certificates Hosted on AWS (ACM & IAM)Password Manager Pro enables you to discover, im port, and configure expiry notifications for SSL certificates hosted in the following Amazon Web Services: AWS Certificate Manager (ACM) and AWS Identity and Access Management (IAM). Follow the steps below to discover and import SSL certificates from ACM / IAM into Password Manager Pro. Step 1: Configure AWS credentials in Password Manager Pro To add your AWS credentials in Password Manager Pro,
Step 2: Discovery and Import
User certificates are imported into Password Manager Pro. 2. Creating Self-Signed CertificatesPassword Manager Pro allows administrators to create their own self-signed certificates using Java keytool. These certificates are automatically imported into the Password Manager Pro repository on successful creation. To create a self-signed certificate using Password Manager Pro:
3. Generating CSRsTo generate a CSR using Java keytool from Password Manager Pro:
You have successfully created a CSR and it has been added to the list view. (Applicable from build 11000 onwards) ![]() Note: Self-signed certificates and CSRs can be generated using RSA / DSA / EC key algorithms and SHA signature algorithm as per the details below:
3.1 Managing CSRs
Besides generating CSRs from Password Manager Pro, you can also upload CSRs generated from outside the application and track their statuses from Password Manager Pro using the Import option in the top menu. 4. Certificate SigningPassword Manager Pro provides the option to sign and issue certificates to all clients in your network either from your Microsoft Certificate Authority or using a custom root CA certificate that is trusted within your environment. To request and acquire certificates from Local CA from Password Manager Pro, you have to initially generate a certificate signing request, then get it signed from the local certificate authority using the steps mentioned below. There are three ways to sign your certificates:
Navigate to Certificates >> CSR. 4.1 Microsoft Certificate AuthorityYou can get the CSR signed from Microsoft Certificate Authority from Password Manager Pro.
The CSR is signed and the issued certificate can be viewed from Certificates >> Certificates.
4.2 Microsoft CA with Agent
The CSR is signed and the issued certificate can be viewed from Certificates >> Certificates. 4.3 Sign with Root CAPassword Manager Pro provides the option to sign and issue certificates to all clients in your network either from your Microsoft Certificate Authority or using a custom root CA certificate that is trusted within your environment.
4.3.i Create a Custom Root CATo sign locally generated certificate requests with the root CA certificate, you have to initially create a custom root CA.
The chosen certificate is successfully denominated as a root CA certificate and is listed under the Root Certificate tab. You can then use this certificate to sign locally generated certificate requests.
Note: You can also generate new root CA certificates from Password Manager Pro by enabling Generate root certificate checkbox while creating a certificate from the Certificates >> Certificates >> Create option. 4.3.ii Signing Certificates with the Custom Root CATo sign certificates with the custom root CA, generate a certificate signing request (CSR) and then sign it using the root certificate.
The certificate is signed based on the selected root certificate and is listed under the Certificates >> Certificates tab. Also, you can use the root CA certificate to simultaneously generate and sign certificates to user groups in bulk directly from Password Manager Pro.
Also, you can use the root CA certificate to simultaneously generate and sign certificates to user groups in bulk directly from Password Manager Pro.
The certificate is signed and you can find listed in Password Manager Pro's certificate repository.
The sign type Active Directory Users allows you to generate and sign certificates to user accounts mapped to the Active Directory within your network environment.
4.3.iii Deploying the Signed Certificate to Target SystemsAfter signing the certificate requests and obtaining the certificate, you have to deploy them to the necessary end-servers. Refer to this section of help for step-by-step explanation on certificate deployment. Note: When signing certificates with custom root CA for web-applications, make sure all the browsers in your network are configured to trust the root CA certificate in order to avoid security error messages. 5. Importing and Exporting Certificates5.1 Allowed Certificate TypesPassword Manager Pro allows you to import and export the following certificate types:
5.2 Steps to Import the Certificates in your NetworkIn addition to certificate discovery, Password Manager Pro provides a few other ways in which you can manually add SSL certificates into the repository. To do so, follow the below steps:
5.3 Steps to Import Issuer CertificatesPassword Manager Pro allows you to import issuer certificates into the repository and build a complete certificate chain in the product.
5.4 Steps to Export the Certificates in your Network
6. Certificate RenewalThe Certificates tab in Password Manager Pro is a centralized console where all types of SSL certificates such as Self Signed, Root Signed, Microsoft CA Signed, certificates issued by third-party CAs etc., are consolidated and displayed. Through the Renew option, these certificate types can be renewed in the Certificates tab directly. These renewed certificates will automatically inherit the deployed servers and their credentials. For certificates issued by third-party CAs, the renewal will be initiated and redirected to the respective CA's tab. To proceed further, follow the below steps:
i. Self Signed Certificate RenewalTo renew a Self Signed certificate, follow the below steps:
The certificate will be renewed successfully and the Valid To date will change according to the new validity period specified. ii. Root Signed Certificate RenewalTo renew a Root Signed certificate, follow the below steps:
The certificate will be renewed successfully and the Valid To date will change according to the new validity period specified. iii. Microsoft CA Signed/Signed with Agent Certificate RenewalTo renew a Microsoft CA signed certificate, follow the below steps:
In addition to the above types, third-party CA signed certificates can also be renewed using this renewal option. Follow the same procedure to initiate renewal and Password Manager Pro will redirect the renewal request to the respective third-party CA. Follow the steps detailed in the next section to learn how to set up auto-renewal for certificates in Password Manager Pro. 6.1 Auto RenewalCertificates issued by Local CA can be renewed automatically from the Admin page in Password Manager Pro. To enable auto-renewal of Local CA certificates, follow the below steps:
7. Certificate HistoryPassword Manager Pro allows you to group the certificates under a common name. To enable this,
8. Certificate Sync StatusPassword Manager Pro allows users to perform periodic and automatic checks on the synchronization status on the SSL certificates deployed to multiple servers.
9. Editing and Deleting Certificates9.1 Steps to Edit a Certificate from Password Manager Pro RepositoryTo edit a certificate from Password Manager Pro repository:
9.2 Steps to Delete a Certificate from Password Manager Pro RepositoryYou can delete the certificates that are currently not in use. To delete a certificate from Password Manager Pro repository:
10. Certificate RequestsThe certificate request workflow is as follows:
10.1 Adding Certificate RequestTo add requests for new certificates or addition of sub-domains to existing certificates, in Password Manager Pro:
10.2 Certificate Request StatusA certificate request is in either of the following statuses.
When a certificate request is raised, it is automatically elevated to the Open state. The request details can be viewed from Certificates >> Certificate request, on clicking the domain name of the request. 10.3 Terminating the Certificate Request Life-cycle
11. Customizing Expiry Notification ScheduleYou can customize the periodicity of notifications you receive when a certificate is about to expire. To customize the notifications:
12. Tracking Domain Expiration through WHOIS LookupApart from tracking certificate expiration, Password Manager Pro also helps administrators keep a tab on their expiring domain names through an automated WHOIS look up. The domain expiration details fetched through the lookup are displayed in the Certificates >> Certificates tab against its corresponding SSL certificate. Also, administrators can choose to receive timely email notifications of their expiring domains by configuring it under Admin >> SSH/SSL Config >> Notification Settings. How does the WHOIS lookup work?Fetching domain expiration details requires a two-stage lookup to WHOIS servers from Password Manager Pro. The first lookup provides the details of the WHOIS server with which the domain was registered by its domain registrar. The second lookup provides information about the domain such as owner details, expiration date etc., All these operations are automated from the Password Manager Pro's interface. Note: Connection to WHOIS servers requires the use of Port 43. Ensure that port 43 is open in your environment, else the connection would fail and Domain Expiration will be marked Not Available (NA) in the Certificates tab. 13. SSL Certificate GroupPassword Manager Pro allows you to organize SSL certificates into various logical groups and execute actions in bulk on the groups. 13.1 Creating Certificate GroupsTo create a certificate group:
13.2 Editing Certificate GroupsTo make changes to existing certificate groups:
13.3 Deleting Certificate GroupsTo delete a certificate group:
©2025, ZOHO Corp. All Rights Reserved. | ||||||