Sectigo.com
Shop Enterprise Partners Resources

Managing private keys

SSL certificates that are managed by the PKS are indicated in the Private Key column on the SSL Certificates page.

Private key management, including manual upload, download, and deletion, is performed by navigating to the SSL Certificate dialog accessed through the SSL Certificates page.

Uploading and downloading private keys

To upload or download the private key associated with a managed certificate using the PKS, you must be logged in to SCM on a computer in the same local network on which the PKS agent is installed, and have a personal authentication certificate installed on your computer.

Private keys can only be uploaded and downloaded by administrators that have a valid client certificate selected under the Certificate Auth option in their administrator settings.

When downloaded, the PKS retrieves a copy of the certificate from SCM over an encrypted connection, merges it with the private key, and provisions the certificate to the requestor. This ensures the private key doesn’t leave the network.

Although the upload or download is initiated via SCM, the private key is not transferred to the SCM servers, and the private key never leaves your network.

Upload private keys

  1. Navigate to Certificates  SSL Certificates.

  2. Select the appropriate certificate and click View.

  3. Select the Management tab and expand Locations.

  4. Click Create and select Import Private Key.

  5. Paste the private key or click Upload From File and select the private key.

  6. Enter the Key Passphrase.

  7. Click Save.

Download public and private keys

  1. Navigate to Certificates  SSL Certificates.

  2. Select the appropriate certificate and click View.

  3. Click the Download icon.

  4. Select Certificate and Private key, PKCS#12.

Remove private keys

  1. Navigate to Certificates  SSL Certificates.

  2. Select the appropriate certificate and click Details.

  3. In the SSL Certificate dialog, select the Management tab, and expand Locations.

  4. Next to the Private Key Agent location, click Delete.

Backing up private keys

You can configure backup for the PKS on a remote SFTP server and run scheduled backups. If the PKS agent is lost, you can restore the keys from the backup by creating another PKS on the same or different server on your local network and configuring it from the Private Key Store page.

Back up private keys

  1. Navigate to Integrations  Private Key Agent.

  2. Complete the Backup Settings fields based on the information provided in the following table.

    Field Description

    SFTP location

    The path on the SFTP server where the PKS backup is to be created

    SFTP User

    The username of your account on the SFTP server

    SFTP Password

    The password of your account on the SFTP server

    Backup File Password

    The password for your backup file

    This is required when restoring from the backup.

    Frequency

    The schedule for how and when backups should occur

    • Manual — Backups are run manually on the Private Key Agent page

      You should run the backup every time a new private key is uploaded to the PKS or a new certificate is enrolled using the CSR auto-generator.

    • Daily — (Recommended) Backups are run daily at the time specified in the Next backup at list.

  3. Click Save.

Restore private keys

  1. Navigate to Integrations  Private Key Agent.

  2. Complete the Restore Existing Private Keys Store From Backup fields based on the information provided in the following table.

    Field Description

    SFTP file location

    The path on the SFTP server where the PKS backup is to be created

    SFTP User

    The username of your account on the SFTP server

    SFTP Password

    The password of your account on the SFTP server

    Backup File Password

    The password for your backup file

  3. Click Restore.