It is possible to manage certificates that are used as computer, such as server certificates, and application certificates, such as web applications, through the S-Series.
Follow the instructions in this article on how to configure and manage certificates that can be managed in this scenario.
Step 1 - Setup Certificate Management Template
The first task is to add a certificate management template that will be used to manage the certificate(s) that are to be managed. In this example computer certificates will be managed.
1. From Templates - Certificate Management Templates click the Add button.
2. Enter a template name and a comment if required. For Certificate Authority enable the Connect to CA check box and select the CA that will be used when managing the certificates.
Important: Only an already configured MS CA template can currently be used.
3. For the Revocation Options the Revoke certificates at CA will always be enabled and cannot be disabled. It is shown here for information purposes. Enable the Force certificate revocation at CA (Fail if CA is not reachable) if it is required to abort the certificate revocation if for some reason the CA is not available. If this option is not enabled and during the revocation the CA is not available the S-Series will cache the revocation request and attempt to revoke the certificate when an operator logs on again.
In the Expiration Options enable the Notify when certificate expires option and enter the number of days before the certificate expiration that the person who is configured to be notified shall receive an email notification. Click the Notifications button to configure the email notification. Click the Add button to add a template. Enter a template name and select the Outgoing Email Server from the drop-down list. The email server connection will need to be already configured from Options - Connections - Email. Click the Edit email template button. Enter a From and To email address into the fields available. Enter a CC and BCC if required. Enter an appropriate subject for the email.
For the email body two options are available - html or text. If HTML is selected it will be necessary to import a MHT file which contains the content of the email body. MHT files can be created using MS Word for example. S-Series variable names can be used which will be replaced with actual data from a directory.
If text is selected enter the appropriate message body and use S-Series variables to populate specific details. When editing text in this window to go to a new line hit Ctrl + Enter.
Important: When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive.
4. From the Permissions section, it is possible to configure the operator roles who will be allowed to configure this template. Click the Edit button to adjust the operator role(s) who are allowed to configure this template.
Step 2 - Configure Certificate Requests
The next step will be to add server certificates that can be managed by the S-Series.
1. From the Actions - Request Certificates page click the Add button to browse to a location where certificate requests of type PKCS#10 are located and select one. Additionally, it is possible to select certificates of CER or DER format.
Important: Only certificate requests of type PKCS#10 are currently supported.
2. Depending on what type of certificate that was added different options will be available. If the certificate added is of type CER or DER then select the certificate from the table and click the Manage button. The Status will change to Managed in the table.
If the certificate is of type PKCS#10 then select the certificate request from the table and click the Request button. The S-Series in this case will be acting as a PKCS#10 proxy. The request will be sent to the MS CA already configured in step 1 above. Once the request has been successfully processed by the CA the status will change to Issued. Then it will be possible to select the entry and click the Manage button to allow the S-Series to fully manage the lifecycle of the certificate. The status will state at this time that the certificate is Managed - not saved. This means that the certificate is fully managed by the S-Series but the certificate has not been saved as a CER or DER. This may be necessary to save a certificate as a CER or DER and provided back to the original requestor for example.
Important: Once a certificate is managed by the S-Series it can be deleted from the table.
3. Select any record in the table and click the Delete button to delete the record from the table. This will not result in the S-Series terminating the management of the lifecycle of the certificate.
4. Select any record in the table and click the View button to see additional information about the certificate or certificate request if required.
5. Select any record in the table and click the Save button to save the selected managed certificate as a CER or DER certificate. The Save button will only be available for certificates of type PKCS#10 or for certificates that have been issued from a PKCS#10.
Step 3 - Manage Certificates from Repository
Once the certificate(s) have been added through step 2 above it is possible to view the status of these certificates from the Repository - Certificates page.
All certificates, including certificates that are managed on smart card tokens, will be viewable from here. It is possible to filter the records based on the template or based on the expiration criteria. The Certificate Expiration view on the right will give a visual representation of the current status of all certificates managed by the S-Series.
Select an entry and click the View button to see additional information about the certificate.
Important: The S-Series will only store specific information about the certificate and not the entire certificate file. The entire information that the S-Series will store for the certificate is displayed in the View page.
Select an entry and click the Revoke button to revoke the certificate on the CA. It will only be possible to revoke certificates that are not managed and issued to smart card tokens in this case.
Select an entry and click the Delete button to remove the management of the certificate from the S-Series. It will only be possible to delete certificates that are not managed and issued to smart card tokens in this case.
Click the Copy button to copy all of the table information into the system clipboard from where it can be saved as a CSV file.