Top

Installing SSL certificate for Key Manager Plus server

Key Manager Plus runs as a HTTPS service. It requires a valid SSL certificate issued by trusted Certificate Authority (CA), with the common name as the name of the host on which it runs. By default, during the first time start-up, Key Manager Plus utilizes the certificate issued for the domain 'demo.keymanagerplus.com' that comes bundled with the product. This certificate will not be trusted by browsers and a security error will be thrown when users try to access the Key Manager Plus server. Thus, users have to manually verify the hostname and force the browsers to accept the certificate.

To make browsers automatically verify and authenticate users, you need to upload trusted third party CA certificates to Key Manager Plus server. Since Key Manager Plus itself serves as a repository for securing SSL certificates, you can upload certificates directly from it (provided you have already consolidated the certificates in Key Manager Plus). You can also browse and add certificates from your system, or you can request for new certificates from a trusted third party CA, and then upload it in Key Manager Plus server.

Uploading certificates from Key Manager Plus repository

To upload a certificate already existing in its repository to the Key Manager Plus server,

Note:

  • On clicking Existing Certificate, Key Manager Plus will list down only those certificates for which the private key is stored in Key Manager Plus server
  • If the certificate you upload is a self-signed certificate (certificate not obtained from a trusted CA), browsers might not recognize your certificate and throw security errors.

Uploading certificates from your system

Follow the steps mentioned below to upload a certificate obtained from trusted CA to Key Manager Plus server.

  1. Navigate to Settings → Server Certificate
  2. Click Browseand choose the certificate that you want to upload from your computer
    • If the certificate that you upload is of .keystore, .p12, .pkcs12 or .jks format, you will be prompted to enter your keystore password.
    • For other formats, you will be prompted to enter the private key file (server.key). After that, you will be prompted to upload the Intermediate certificate. You can upload multiple intermediate certificates by clicking the +button. If you don't upload the intermediate certificate, Key Manager Plus will try detecting the intermediate certificates automatically.
  3. Click Save to import the certificate to Key Manager Plus server
  4. Then, restart your Key Manager Plus server for the certificate to take effect

Note:

If you don't provide the intermediate certificate and Key Manager Plus is unable to trace it, there's a chance that browsers might not recognize your certificate and security errors will be thrown.

Uploading Microsoft CA signed certificate

You can request and sign certificates from the Microsoft Certificate Authority within your network, and then install it on your Key Manager Plus server. To request and acquire certificates from your Microsoft Certificate Authority,

After creating the CSR, you have to forward it to the Microsoft Certificate Authority, which signs it and issues the SSL certificate for the requested domain.

You have to then install the acquired certificate on Key Manager Plus server.

Requesting and uploading new trusted CA certificates

You can also request for new certificates from trusted third party CAs, and upload the same in your Key Manager Plus server.

Click here to learn more about requesting and acquiring third party SSL certificates from Key Manager Plus

Click here to learn more about directly acquiring Let's Encrypt CA certificates by leveraging Key Manager Plus' integration with Let's Encrypt

After procuring and consolidating the third party SSL certificates in Key Manager Plus repository, repeat the same steps under the first case to upload the certificate to Key Manager Plus server.

Note:

The certificate you upload will be checked for the following criteria by Key Manager Plus server: certificate - private key match, expiration date, revocation status, certificate chain and Certificate Authority (Java trust store). If there's any unfulfillment or mismatch, a pop-up window will open prompting for your confirmation to upload the certificate. You can still go ahead and upload the certificate but reputed browsers might not recognize the certificate and throw security errors.