1. About SSL Server Certificates
1.1. Overview
SSL server certificates are a kind of digital certificates which web and other servers need to guarantee security and safety of network communications.
1.2. SSL Server Certificates
SSL server certificates are one type of digital certificates that server software use for SSL communications to authenticate communication pier and encrypt communication contents. A website operator proves its identity and guarantees communications authenticity and confidentiality by placing a server certificate on the website server.
When placing a server certificate, you also need to place a private key that pairs with the server certificate in order to prove that you are the legitimate owner of the certificate. A server certificate has a validity period (one to several years) and also it can be revoked by the issuing CA if the private key is stolen.
Other digital certificates include personal certificates for emails and user authentication at website and for IC cards.
1.3. Certificate Authority
Generally, SSL server certificates are issued by an entity called Certificate
or Certification Authority (CA) to other party that requested for a certificate
issuance. A CA verifies that the request is from the legitimate owner of
subject identity before issuing a certificate. The issuing CA also
revokes the certificate as necessary.
Many CAs require monetary compensation for the identity verification, issuance
and maintenance of the certificate. In this document they are called commercial
CAs. Prominent commercial CAs include VeriSign, Inc. On the
other hand, when the requesting company issues server certificates for their
own servers, the company operates their own private CA.
For websites and services intended for the internet and inter-organization
applications, or for websites and services within a large multi-regional company,
server certificates issued by commercial CAs are quite common.
1.4. Server Certificate Reseller
Certificate resellers sell server certificates issued by commercial CAs. Some certificate resellers offer certificate products from several commercial CAs. They help customers to choose optimal products for the customer and may also provide customer services for installing and maintaining certificates and their environments.
2. Concepts in Server Certificate Manager
Server Certificate Manager is a software product that helps a company to manage every aspect of server certificate lifecycle, from acquiring to deploying and monitoring certificates.
2.1. Server Certificate Repository
Server Certificate Manager has an internal database that stores generated private keys, acquired certificates, purchase history, deployment history, and monitoring data. It also has per-certificate document folder feature, in which you can store documents that you use when purchasing a certificate.
You can centrally store these certificate related information in one place, manage them under appropriate access control and backup operations, thereby minimizing risks of lost private keys and information leakage.
2.2. Requirement Definitions, Acquisition Processes and Deployment Processes
When you start a new online service, you collect requirements and study possible options for server certificate(s). Then you purchase certificate(s) and install them onto your server(s).
An acquisition process is a collection
of steps to obtain a server certificate from a CA and store it in the
certificate repository. It consists of generating a private key / CSR,
placing an order for a certificate, receiving certificate file and registering
it in the server certificate repository.
There are two types of acquisition process. They are new acquisition and renewal acquisition. When you are obtaining a certificate for a new server, it will be new acquisition. When you are obtaining one that will replace an existing server certificate, it will be renewal acquisition.
A deployment process is a collection of steps to install a server certificate stored in the server certificate repository and set up certificate monitoring.
2.3. Certificate Definitions, Certificate Requests, and Certificates
Server Certificate Manager manages processes mentioned above using software abstractions called Certificate Definitions, Certificate Requests, and Certificates. Requirement definition approximately corresponds to Certificate Definition, acquisition process to Certificate Requests, and deployment process to Certificate, respectively.
Each software abstraction object holds output of corresponding process and intermediate information as history records.
|
|
Intermediate generated information |
Output |
|
Certificate |
- |
Info about requestor, product requirements, target server |
|
Certificate |
CSR, order history |
Private key, certificate received from CA |
|
Certificate |
Install request email, deploy history |
Deployment and monitoring of certificate |
(To be precise, private keys are also independent objects from certificate requests so that a private key can be reused)
2.4. Certificate Installation
A server certificate issued from a CA , along with the private key, must be installed onto the target server. Server Certificate Manager will facilitate and automate this complicated and error-prone work as much as possible.
Server Certificate Manager offers three kinds of certificate installation methods as follows:
|
|
Description |
Conditions, Limitations |
|
Automated certificate install |
· When AUTO-INSTALL button is clicked on Server Certificate Manager screen, the server certificate will be installed on the target server. · Server administrator does not need to do any work on the target server |
Additional software and/or network
configurations modifications (like firewall) may be required in some cases. |
|
One-click certificate installer |
· The server administrator of target server receives an install request email along with the certificate install package via email, Web or FTP. Just executing it on the target server will install the certificate and the private key. |
The Server Certificate Manager computer and
target server don't need to be connected by network. |
|
Conventional install method |
· The server administrator of target server receives an install request email along with the certificate install package via email, Web or FTP. He/she unzips it to extract files. · Install the certificate according to instructions from CA and/or server software manuals. |
Can be used with any server software. |
For the current list of supported server software and associated requirements are in explained in the product Read Me file (readme_en.html).
Kousec Software, Inc. will add support to more server software products for automated installation. We will also actively support disconnected environments where the Server Certificate Manager computer and target servers are not directly connected by networks. Using one-click installer, you can transport the certificate package to your iDC in a USB memory stick. Because the certificate and private key are encrypted you can safely transport it.
2.5. Built-in Private CA
Server Certificate Manager has a built-in Private CA function. Using this function, the following operations are possible.
1. In development phase, using Server Certificate Manager define necessary server certificates.
2. Using the built-in Private CA, issue the server certificates.
3. Before the final testing phase, change product vendor of all Certificate Definitions to a commercial CA, start renewal acquisitions for the certificates and deploy them.
Using this kind of operations, you can reduce certificate product costs during development phase while preventing any mistakes that could happen in migrating certificates.
Also in a large project where you maintain a smaller test system for the lifecycle of the production system, you can clone all Certificate Definitions for the production system and have the Private CA to issue certificates for the test system.
If you already have a PKI system in the company, the built-in Private CA can be configured to be a subordinate CA of one of the higher level CAs.
2.6. Monitoring for Deployed Server Certificates
Even after you confirm that a server certificate is correctly deployed, any accident could happen to it. For example, another wrong certificate can be installed, or a server is restored from a backup reverting to the previous certificate.
Server Certificate Manager allows you to schedule periodic monitoring of deployed certificates, e.g., daily. With this, you can generate a report that includes the following items.
1. Check if the current certificate that is registered in the certificate repository is installed on the server.
2. Check if any required intermediate CAs' certificates are also installed along with the server certificate. (For many server certificates, without intermediate CAs' certificate, browsers' certificate verification fails)
3. If it is the correct certificate, remaining days for validity period
4. Status of corresponding deployment process
You can disable periodic monitoring for servers that cannot be accessed from the Server Certificate Manager computer (e.g., a server in another intra-net).
2.7. Discovering Unmanaged Server Certificates on Network
Server Certificate Manager is able to perform a network scan to uncover server certificates used on any SSL-enabled servers. It then analyzes all certificates found and determines whether they are valid and conform to the certificate trust policy set in Server Certificate Manager. The analysis result will be generated as a report.
From the report, you can also select certificates and initiate imports for them.
2.8. Importing an Existing Server Certificate
When you start managing an existing server certificate under Server Certificate Manager, you can import the existing certificate to the certificate repository of Server Certificate Manager. The import function in Server Certificate Manager serves two purposes.
1. Extract information (like DN) from the existing certificate and create a Certificate Definition based on them so that you can use it to update / renew the certificate.
2. Use the existing certificate to monitor the current certificate as installed on the server.
If the existing certificate has already expired or is not installed on any server at the moment, you do not need to monitor it. Therefore you can skip the second one.
If you also import the corresponding private key, you can make the certificate re-deployable from Server Certificate Manager in addition to being able to monitor it.
2.9. Selection and Purchase of Server Certificates
Server Certificate Manager contains a latest database of SSL certificate products available and you can utilize it to purchase one. When renewing a certificate, if you change a certificate product or vendor, Server Certificate Manager still handles it as a renewal process.
First you will set up requirements in a Certificate Definition for to-be-acquired certificate. There are two ways as follows:
1. Specify a certain product from a commercial CA or the built-in private CA
2.
Set requirements only.
Requirements include buying from a specific CA, buying a certificate with
specific assurance level (like EV).
In step of Product Selection and Purchase in acquisition process, choose a certificate product as follows:
· If a certain product is specified, select it.
· If requirements are specified, choose a product on Product Selector screen that will only list products that match requirements.
For actual order placement, use the website of the selected CA or one of its resellers. After placing an order, enter order date, order number and any other tracking information in Server Certificate Manager.
3. Setting Up Server Certificate Manager
3.1. Basic Setup
Just after the installation, before start using Server Certificate Manager, you need to do basic set up. Open "Application" ⇒ "Settings" screen.
The following are required items. Please fill them in.
l
CertMgr Administrator Information
Email address of the person who will be using this product primarily.
Notification emails for certificate administrator will be sent to this address.
l
Email Settings (Outbound)
Sender email address of the Server Certificate Manager computer when it sends
out emails.
|
Sender Email Address |
Email address used for From header |
|
Sender Email Name |
Name used in From header |
|
SMTP Server Name |
SMTP server name for sending. When specifying a port, follow it with a semicolon, e.g., servername:587 |
|
SMTP User Name |
Username to connect to SMTP server |
|
SMTP Password |
Password to connect to SMTP server |
When finished, you can click on "Send Test Email" button to check to see if you can actually send an email.
Tip: Trouble-shooting emails. These days, access to an SMTP server is severely restricted. If you have problem sending, use port 587 instead of the default port and also make sure that a security software (Anti-Virus/Firewall) on the Server Certificate Manager computer does not block outbound connection to port 587.
3.2. Changing Initial Password
It is strongly recommended to change the initial password for user admin. To do this, click Change My Password at the lower most position of "Settings" screen.
3.3. Restricting Access to the CertMgr Web Server
After the initial install, CertMgr allows web browser access from computers with IP address range of 192.168.xx.xx. You can change these IP address range.
· Open a command prompt by clicking the Open Command Prompt in the Kousec Server Certificate Manager start menu.
· Type notepad ip_acl.txt to edit the IP ACL file. Notation is documented as comments in the file. After saving the file, changes will be reflected immediately.
3.4. SSL Certificate for the CertMgr Web Server
An SSL certificate for the CertMgr Web Server is issued from its built-in Private CA and installed in the CertMgr Web Server at the initial install time. There is no Certificate Definition created for this certificate.
You can obtain a new certificate from a commercial CA or issue a new one with different DN from the built-in Private CA. The following is the basic procedure.
1.
Create a Certificate Definition by importing the
existing certificate.
Import the certificate from the URL of CertMgr (https://localhost:23466/).
You do not need to start a deployment process for the imported certificate.
2. On the Certificate Definition, start a new acquisition process to obtain a new certificate.
3. When deploying the obtained certificate, select This CertMgr as the Server Software Type. Also enter any character into Username for Auto-Install and Password for Auto-Install to enable automatic install of this certificate. Then, perform auto-installing this certificate.
4. Log out of CertMgr and restart the CertMgr service.
5. Log in again. When doing deploy check, specify port number 23466. Then run the deployment process to completion.
3.5. Users Management
You can administer users who can log in to CertMgr and carry out certificate operations. Click "Users Management" located lower-left corner of "Settings" screen.
You can set each user with a privilege level. Users with "Admin" privilege can do various user administration tasks like adding/modifying/deleting other users, while users with "User" privilege cannot do any of them.
3.6. Advanced Configuration
For advanced configuration options, you can
edit the following file:
<CERTMGR_INSTALL_FOLDER>\htdocs\cake\cm\cmconfig.inc
It includes many options such as setting an external server name in a reverse-proxy configuration and path to your Java environment.
4. Managing Certificates Using Server Certificate Manager
4.1. Summary Descriptions of Each Screens
4.1.1. Certificate Definitions (Overall Status of All Certificates)
On this screen, you can view Certificate Definitions and associated status of acquisition and deployment processes.
4.1.2. Certificate Requests and Acquisition Processes
In Certificate Requests, you can see all recorded certificate requests.
In Acquisition Processes, you can see the list of ongoing acquisition processes and another list of certificate definitions that should have already started a next acquisition process but have not yet. From this screen, you can check progress of ongoing acquisitions.
4.1.3. Certificates and Deployment Processes
In Certificates, you can view all recorded certificates.
In Deployment Processes, you can see the list
of deployment processes for current certificates. Among them, for
certificates whose deploy status is either "Confirmed" or "Install Requested",
results of daily certificate monitor is also displayed.
From this screen, you can check progress of deployment processes and results of
daily monitoring.
When purchasing a certificate product, you generally need to create an user account for the vendor's website. In this screen, you can record them so as to make ordering and receiving processes easier. If you register at multiple vendors with the same information, you can just create one entry.
You can view the list of generated private keys. By default, for each CSR generation, a new private key is generated. Imported private keys are also recorded here if the imported certificate went through the deployment process.
In Monitor Control, you can manage monitoring functions and view history of certificate monitoring.
You can also adjust scheduling of periodic monitoring.
In Sent Emails, you can view records of all emails sent out from Server Certificate Manager.
In Certificate Discovery, you can initiate a network scan and search for any network-exposed SSL server certificates. Then you can analyze validity of those server certificates found and bring them in under the control of Server Certificate Manager by importing them.
4.2. Main Usage
4.2.1. Import existing certificates and start managing them under Server Certificate Manager
You can import an existing certificate into Server Certificate Manager. By importing, a new Certificate Definition is created based on the information from the certificate. From the certificate definition, start an acquisition process at next renewal time.
Also, at your preference, you can start a deployment process for the imported certificate.
There are two cases for imported certificates:
1. You have the private key for the existing certificate and import the private key also.
2. You do not have or did not import the private key for the existing certificate.
In case 1, by starting a deployment process, you can re-deploy it from Server Certificate Manager.
In case 2, you cannot (re-)deploy it but you can still set up certificate monitoring for it.
If the existing certificate is not deployed on any server, or it is expired, there is no need to monitor it. Therefore you don't need to run the deployment process.
The following are the certificate file formats that can be imported:
l
Apache-compatible text formats ("PEM")
Typically used in Apache servers, this is a set of files consisting of the
server certificate, the corresponding private key and a single file containing
all required certificates for intermediate CAs. These files are all in
text. The private key file may be encrypted, in which case you need to provide
the passphrase for it.
l
Windows-compatible Backup format ("PKCS#12")
Often known as "P12" or "PFX" files, this type of certificate file contains all
related files in a single encrypted file, whose file name ends in ".p12" or ".pfx".
Files typically contained are, the server certificate, the corresponding
private key, a set of required certificates for intermediate CAs. You
need to provide the passphrase for it.
l
Windows-compatible certificate formats ("CER"
and "P7B")
This set of files is typically used when transporting certificates only, not
private key. A "CER" file, a binary format called DER, can contain one
certificate, so it's used to store the server certificate. A "p7b" file
can contain multiple certificates so it's typically used to store certificates
for intermediate CAs.
l
Java Key Store format ("JKS")
Most Java-based application servers support this format as a Key Store (storing
the server's private key and certificate) and as a Trust Store (storing the
certificates of CAs that the server trusts). Server Certificate Manager
allows you to import the private key, corresponding server certificate and any
intermediate CA certificates from a JKS file that is used as a Key Store.
You need to provide the key password for the JKS file.
Importing Certificates found in Certificate Discovery
Rather than specifying each certificate for import, you can also initiate a certificate discovery and import those that are found. Note that in that case you cannot import the corresponding private key.
From the certificate definition that was created from importing, you can start an acquisition process for a new certificate. For renewal, the process is similar. Open the certificate definition, click on the button "Acquire New Certificate". Then an acquisition process starts and a new certificate request screen opens up. .
Product Selection : In Select and Purchase Product screen, you can see information of certificate products stored in Server Certificate Manager and you can jump to the vendor's product information page. Once you choose a product, pushing button "Go to Vendor's Buy Page" will open up a new window and shows vendor's website.
Order : Almost all vendors require you to create an vendor's account. Server Certificate Manager has "Vendor Accounts" screen where you can record account information (username, password, registered email address, etc) and associate it with the certificate request (and certificate definition). Once an order has been placed, you go back to the Server Certificate Manager screen and record order number and other information.
Receiving : Once the CA has issued your certificate, you will receive an email notification from the vendor at the email address registered with your vendor's account. Download the certificate, any intermediate CAs' certificates and enter them in the Server Certificate Manager's Receive Certificate From Vendor screen.
Switching Current Certificate : If the received certificate is already with its validity period, you can set this certificate as the current certificate. If an old certificate exists, it will be replaced with this certificate. In Server Certificate Manager, you first specify which certificate should be the current certificate, and then you start a deployment process to actually replace the certificate deployed on the server.
Now the acquisition process is done. By switching the current certificate, the corresponding deployment process should be active now. Follow the instructions to proceed to the deployment process.
Entering Deploy Information : Enter
information necessary to deploy this certificate. There are three
categories. The first one is about the target server, and second one is
about how you will deliver the certificate install package to the server administrator,
and the third one is information required for automated certificate installs.
Automated installs (auto-install) is optional and are available only for some
server software platforms. For the list of supported server software
types and specific instructions for each server type, please see "Supported
Server Software Products" section in Readme file.
When finished, click on "Prepare to Deploy" and the certificate install package
will be created and you will proceed to the next step.
Requesting Certificate Install : Create an email requesting to install the certificate to the server. It also shows the button "Try auto-install" if you entered necessary info (username, password) for auto-install in the previous step. Pushing this button triggers executing auto-install and the execution result will be displayed. If auto-install succeeded, the request email will be changed to an install notification email.
Proceed to the confirmation screen and send out the email.
Checking Deployment : In this step, you check to see if the certificate is correctly installed on the server as requested. By default, Server Certificate Manager will access the common name in the certificate. If you want to check with an alternative name (like internal hostname), enter the name in "Server name to Check".
Tip: It will take some time (from hours to days) for the server engineer to install the certificate you requested. For daily operations, you can leave the deployment process screen and check "Deployment Processes" screen, say, once a day. In Deployment Processes screen, you will see a list of active deployment processes and their check results of periodic certificate monitoring. When "result" field has become "OK", open the Certificate screen, do deploy check again and have the deployment process to complete.
In an environment where the Server Certificate Manager computer and target servers cannot have network communications, you cannot execute deploy check or certificate monitoring from he Server Certificate Manager computer. In that case, you must execute deploy check manually from where you can access the target server. Instructions for carrying out manual deploy check is described in Appendix A of this Users Guide.
After manually checked deployment, on Server Certificate Manager, you push button "Manually Checked Deployment" and proceed to the next step. If network disconnection is permanent, you should also check "Disable Periodic Monitoring" to exclude the certificate from monitor targets.
Result of Deploy Check : The result of the check is displayed along with the check details. If successful, press "Done" button to complete the deployment process. If the result is failure, pressing "Send Result to Server Admin" button to email the result to the server administrator. Also you can show the screen shot to your network engineers and/or server engineers to solve the problem. If the check failed, you can also press "Continue without Checking" button to complete the deployment process. In that case, an alert for the certificate will most likely appear in periodic monitoring. As necessary, disable periodic monitoring by opening the Certificate screen after deployment process is done.
Most events that need attention from the Certificate Administrator should be delivered as emails to the Certificate Administrator once a day. You can also log in and check a couple of screens for more up-to-minute information.
Screens you should check in daily operations are, Certificate Definitions (Overall Status of All Certificates), Acquisition Processes, and Deployment Processes.
Certificate Definitions : On this screen you can see, for all certificate definitions, acquisition status of current and next certificates and status of deployment of the current certificate, in simplified forms.
Part of Certificate Definition columns
Acquisition Processes : On this screen you can see the list of ongoing acquisition processes and the list of certificate definitions that have certificates expiring in 60 days and that has not started a next acquisition process. You can take the following actions on this screen:
1. Open the certificate definition and start a renewal acquisition process.
2. Open a certificate request that has not progressed well, expedite the process by resolving any issues found.
Deployment Processes : On this screen, you can see the list of ongoing deployment processes and the list of certificate definitions whose current certificates have failed deploy check (for some reason) in periodic monitoring. You can take the following actions on this screen:
1. Open the certificate that has not progressed well, expedite the process by resolving any issues found.
2. For deployment processes whose status is "Install Requested", if there are any with monitor result is "OK", open that certificate and do deploy check and complete the deployment process.
3. If there are any certificate whose deploy status is "Confirmed" but the monitor result is "NG", click on the monitor result to see the detailed result. Trouble-shoot the issue (e.g., email the server engineer).
Also, in Monitor Control, you may want to check results of daily certificate monitoring.
4.3. Certificate Monitoring
You can set up certificate monitoring for deployed certificates. Imported and deploy-checked certificates are also monitored.
It is important to know that Server Certificate Manager makes a distinction between multiple server name types.
|
Name Type |
Description |
|
Common name |
Official computer name for end users (domain name) |
|
Server name |
Computer name as certificate install target |
|
Server name for Check/Monitor |
This can be either the common name, the server name or any other alternative name or IP address. It needs to be a name to which the Server Certificate Manager computer can access via network. |
When doing a deploy check on a computer, Server Certificate Manager does not mandate that the server name match the common name or any name in Subject Alternative Names (SAN). Rather, it checks if the certificate on the server matches the certificate in the CertMgr repository that you declared as the current certificate. This check is done using SHA1 hashes of both certificates.
4.4. Certificate Discovery
In Certificate Discovery, you can initiate a network scan and search for any network-exposed SSL server certificates. Then you can analyze validity of those server certificates found and bring them in under the control of Server Certificate Manager by importing them.
4.5. Backing up Data in Server Certificate Manager
The data that need to be backed up are stored in the following three folders:
CERTMGR_HOME/db (Main database. Contains everything other than the below)
CERTMGR_HOME/DocFolders
(Documents in document folders and
generated certificate package files)
CERTMGR_HOME/myca (Database of the built-in Private CA)
Stop Kousec CertMgr service and back up these folders.
If you restore the backup data to a Server Certificate Manager instance that's installed in another folder, copy the backup data over and then run "cm_config.bat" from CertMgr Command Prompt.
4.6. [Optional] Configuring Private CA
By default, the built-in Private CA is configured as follows:
CA's distinguished name (DN)
Organization Name : Kousec CertMgr
Built-in Private CA
Common Name : Kousec CertMgr Auto-Generated CA <timestamp-of-CA-generation>
Tip: If you already have a private CA in your company that is running on Windows Server PKI, you can also make the built-in private CA part of your PKI hierarchy. This way, you do not have to deploy another trusted CA root certificate in your company. To do that, you need to obtain the certificate for this built-in private CA from one of your higher CAs. There is a supported procedure for this kind of deployment. Please contact Kousec Software for details.
You can change this information with the following instructions. First open up a command window by clicking "Open Command Window" shortcut.
1.
Backup the database of the current Private CA
Change the name of CA folder.
> ren myca myca_default
2.
Create a new CA
Create a new root CA:
> gencert -setup_ca -2
Enter DN and other info for the new CA. When asked for CA's password,
enter "orenosp". (no double-quotes)
Important: We recommend not using identical DN information. Specify a
unique DN by putting a date or serial number in the common name, for example.
You can see information for the new CA:
> gencert -info
3.
Add the certificate of the new CA to Deploy
Check tool.
The following command will show the private CA's certificate in text format
(PEM):
> gencert -show_cacert
Open file CERTMGR_HOME\ssl.crt\ca-bundle-cert.pem in a text editor and paste
this text at the end of this file.
4.
Generate a CRL file from the new CA
> gencert -gen_crl -p:orenosp -f
5.
Log in to CertMgr and Open Private CA screen
Click the button "Create CA Cert Installer" to re-create the Private CA
certificate installer package.