Creating a certificate installation
It is important to track where certificates are installed. You can leverage Trust Protection Platform to manually track where certificates are installed, set up automatic daily validation, or even have Trust Protection Platform automatically install the certificate for you on the target device.
You perform these tasks by adding an installation. You might choose to add an installation for every instance of a certificate you have deployed upon an environment. If you have, or want to have a certificate installed to five places, then you would add five installations in TLS Protect.
DID YOU KNOW? If you want an Entrust nShield HSM to secure private keys for your Apache HTTP servers, you can create multiple installations. When you create two or more installations for the same certificate, an Application Group appears in the Policy Tree. The Application Group is a set of Application objects that share the same certificate. You can only view and edit Application Groups in the Policy Tree. However, deleting an Application Group is not advisable.
You can use the Add Installation wizard to create an installation for a certificate on a specific device. The wizard is not available for any of the following reasons:
- The certificate state is Lost, In Error, or Retired.
- The certificate management type is Unassigned.
NOTE You must have view, read, and write permissions to the certificate and you must have create and write permissions on the target device.
To add an installation to a certificate
- From the TLS Protect menu bar, click Inventory > Certificates.
-
Using the filters, locate the certificate that has a Provisioning management type.
For more information, see Finding assets using filters on the Certificate Inventory list.
-
On the inventory list, use the quick action in the drop-down box, and click Add Installation.
You can create more than one installation for the same certificate.
CAUTION When you create the second installation for an Apache HTTP server and an Entrust nShield HSM manages the certificate, an Application Group appears in Policy Tree.
Although Application Groups are automatically created and managed in Aperture, they are only visible in the Policy Tree Policy tree. To avoid unexpected results in Policy Tree, do not delete Application Groups.
-
In the Add a New Installation wizard, select the method to track and manage the certificate, and then click Next. The options on subsequent screens depend on the tracking level you select:
- Track this certificate. Use this option to manually download and install the certificate on a device. Venafi helps you track certificate renewal.
- Track and validate this certificate. Use this option to allow daily certificate confirmation. If the certificate is absent on the device, you download and install it once. After that, each day, Venafi will use the hostname and port to connect and validate that the correct certificate version is available.
-
Track, validate, and automate installation of this certificate. Use this option to automate the certificate lifecycle on the device. If the certificate is absent on the device, Venafi automatically installs it. After that, each day, Venafi confirms the certificate version. As necessary, Venafi requests and installs an updated certificate on the device.
-
In the Add a New Installation window, find or create an existing device that requires certificate installation.
- If the device already exists, search and select it. However, if the device already contains an installation of this certificate, a warning appears. Only add the device if you want multiple applications on a device to use the same certificate.
- If the device is missing, click Create a New Device, and then provide the device address and the folder location where the device should be stored.
-
On the same window, specify any other information as required. For example:
- If tracking requires validation, specify a port number.
- If necessary, select a driver as the Installation Type.
- Click Add Installation or if you want the device to have more than one copy of the certificate, click Add Anyway.
-
If you are automating the installation of the certificate on this device, Edit a certificate's installation details.
-
If you are manually installing the certificate on this device, click Download Certificate. If necessary, specify certificate format, chain order, and password, and then click Download Installation.
IMPORTANT When the Add Installation wizard completes, you still need to take the certificate you've downloaded and install it on the target device. Failure to do so will result in inaccurate reporting in Trust Protection Platform.