Associating certificates with multiple applications (one-to-many)

In many network environments, such as a multi-web server deployment supporting a corporate website, one certificate might be installed on multiple applications. This would be considered a one-to-many configuration.

One-to-Many Certificate Configuration

Trust Protection Platform simplifies the distribution of certificates and private keys for one-to-many configurations. If you choose to associate multiple applications with one certificate on the certificate object’s Associations tab, Trust Protection Platform can push the certificate and private key to the new servers. For more information, see Pushing Certificates and Private Keys to Applications.

IMPORTANT  When one or more of the following items are true, Remote Generation is not supported and, therefore, the Generate Key/CSR on Application setting is ignored.

  • You're using a driver that does not support remote generation.

    To learn which drivers support remote generation, see Supported integrations: devices, applications, services and features supported by Venafi.

  • You're using a self-signed CA template to enroll a certificate; self-signed CA templates do not work with remote generation.

    This is because Trust Protection Platform requires that the private key be stored centrally so that it can be used to sign the self-signed certificate.

  • Your certificate is associated with more than one application; to work correctly, the certificate must be associated with one application.
  • You have not set the certificate's management type setting to Provisioning.
  • You're doing one-to-many provisioning.

If a certificate is already deployed on multiple servers, Trust Protection Platform can detect the configuration during a standard Network Discovery and bring the certificate and all its associated applications under management. During this process, Trust Protection Platform configures each unique instance of the certificate for validation and automatically creates a corresponding Basic Application object for each system where the certificate is installed. Each Basic Application object is automatically associated with the Certificate object and, if enabled, an Alias of the Certificate object appears under each Basic Application object.

Alias objects are hidden by default.

To view Alias objects in the Policy tree, you must enable the Show Aliases option.

  1. From the Platform menu bar, click Policy Tree.
  2. In the Policy Tree menu in the left panel, click Show all.
  3. Select Show Aliases.

To facilitate administration of one-to-many certificates, Trust Protection Platform tracks status and provides notifications for each certificate instance to ensure that administrators are aware of every affected server when a certificate fails.

For more information on bringing one-to-many certificates under management via Discovery, see Bringing network certificates under management.