Managing private keys

SSL certificates that are managed by the private key agent are indicated in the Private Key column on the SSL Certificates page.

Private key management, including manual upload, download, and deletion, is performed by navigating to the SSL Certificate dialog accessed through the SSL Certificates page.

Uploading and downloading private keys

To upload or download the private key associated with a managed certificate, you must be logged in to SCM on a computer in the same local network on which the private key agent is installed, and have a personal authentication certificate installed on your computer.

When downloaded, the private key agent retrieves a copy of the certificate from SCM over an encrypted connection, merges it with the private key, and provisions the certificate to the requestor. This ensures the private key doesn’t leave the network.

Although the download is initiated via SCM, the private key is not transferred to the SCM servers, and the private key never leaves your network.

Upload private keys

  1. Navigate to Certificates  SSL Certificates.

  2. Select the certificate to which you want to upload private keys, and click View.

  3. Select the Management tab, and expand Locations.

  4. Click Create, and select Import Private Key.

  5. Paste the private key or click Upload From File and select the private key.

  6. Enter the Key Passphrase.

  7. Click Save.

Download public and private keys

  1. Navigate to Certificates  SSL Certificates.

  2. Select the certificate from which you want to download private keys, and click View.

  3. Click the Download icon.

  4. Select Certificate and Private Key.

  5. Select the appropriate download format.

    The supported formats are:

    • .p12

    • .jks

    • .pem

  6. Set the passphrase for the private key download.

  7. Click Download.

Remove private keys

  1. Navigate to Certificates  SSL Certificates.

  2. Select the certificate from which you want to remove stored private keys, and click Details.

  3. In the SSL Certificate dialog, select the Management tab, and expand Locations.

  4. Next to the Private Key Agent location, click Delete.

Back up private keys

When using a Local PKS, you can configure backup for the private key agent on a remote SFTP server and run scheduled backups.

While backup is only available for a Local PKS, you can restore keys from the backup to any PKS.
  1. Navigate to Integrations  Private Key Agent.

  2. Complete the Backup Settings fields based on the information provided in the following table.

    Field Description

    SFTP location

    The path on the SFTP server where the backup is to be created.

    SFTP User

    The username of your account on the SFTP server.

    SFTP Password

    The password of your account on the SFTP server.

    Backup File Password

    The password for your backup file.

    This is required when restoring from the backup.

    Frequency

    The schedule for how and when backups should occur.

    • Manual — Backups are run manually on the Private Key Agent page.

      You should run the backup every time a new private key is uploaded to the PKS or a new certificate is enrolled using the CSR auto-generator.

    • Daily — (Recommended) Backups are run daily at the time specified in the Next backup at list.

  3. Click Save.

Restore private keys

If the private key agent is lost, you can restore the keys from your backup by installing another private key agent and configuring it from the Private Key Store page.

  1. Navigate to Integrations  Private Key Agent.

  2. Complete the Restore Existing Private Keys Store From Backup fields based on the information provided in the following table.

    Field Description

    SFTP file location

    The path on the SFTP server where the backup is to be created.

    SFTP User

    The username of your account on the SFTP server.

    SFTP Password

    The password of your account on the SFTP server.

    Backup File Password

    The password for your backup file.

  3. Click Restore.