Skip to content

Provision certificates to machines

TLS Protect Cloud can provision certificates directly to certificate keystores of machines that are defined. If you've not yet created the machine to which you want to provision the certificate, start there first. Otherwise, follow the steps below.

Before you begin

Note

Only certificates with an associated private key can be provisioned. Certificates must have the status of"new" or "installed"; otherwise, the provisioning will fail.

F5 BIG-IP LTM

You can provision a certificate to an existing SSL profile on your F5, or you can use TLS Protect Cloud to create a new SSL profile for you. The steps below walk you through both scenarios.

  1. Sign in to TLS Protect Cloud.
  2. Click Installations > Machines.
  3. Click the checkbox next to the F5 BIG-IP LTM machine that you want to provision a certificate to.
  4. Click Provision a certificate.

  5. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

    Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

  6. In the Certificate Name field, enter the name for this certificate as you want it to appear on your F5.

    What if the name is already in use on the F5?

    When provisioning a certificate to the F5, TLS Protect Cloud checks to see if the name you enter in this field is already in use.

    • If the name you enter isn't in use, TLS Protect Cloud will use it.
    • If the name is in use, TLS Protect Cloud checks to see if it's the same certificate. If so, TLS Protect Cloud uses the certificate that is already on the F5.
    • If the name is in use, but it's a different certificate, then TLS Protect Cloud creates a new certificate. A unique certificate name will be generated using a combination of the certificate name entered in this field, the expiration date from the certificate, and a unique numerical value, such as my-cert-name_22Oct05_3117.

  7. In the Chain Bundle Name field, enter the name for the CA certificate bundle as you want it to appear on your F5.

    Note

    Possible scenarios and results for F5 chain CA certificates:

    • If the bundle does not exist, then we create the bundle with the issuing certificates.
    • If the bundle already exists and matches exactly (with the same number of issuing certificates in the same order and containing the same certificates), no changes are made to the F5. The provisioning process proceeds as if TLS Protect Cloud created it.
    • If the bundle exists and has any of the three listed scenarios, the operation will fail with the error message cannot overwrite existing certificate chain.
      • (1) different issuing certificates
      • (2) the same certificates but in a different order
      • (3) it has the same certificates but contains additional certificates. For example, if we want to add certificates Root, Intermediate1, and Intermediate 2, but the existing bundle already includes an additional Intermediate 3.

  8. From the Profile Type drop-down, select either Client SSL Profile or Server SSL Profile, depending on the type of F5 profile you're provisioning to.

  9. In the Partition field, enter an F5 partition name. This partition must already exist on the F5. Leaving this field blank will default to the F5's Common partition.

    Note

    The partition name is case sensitive.

  10. In the Parent Profile field, enter the name of the parent profile you want to associate with the SSL Profile.

    Note

    If you're using an existing SSL Profile in the next step, this field will be ignored. TLS Protect Cloud will not modify the parent profile of existing SSL profiles.

  11. In the SSL Profile field, enter an SSL profile name. This can be either a name that is already in use on the F5 partition, or a new name.

    What happens if the name is already in use?

    If the profile name you enter already exists in the F5 partition you entered previously (see step 8 above), then TLS Protect Cloud will provision the certificate to that profile. Otherwise, TLS Protect Cloud creates a new profile using the name you enter here.

  12. For Client SSL Profiles, you can optionally enter an alternative DNS name for Server Name Indication in the SNI field.

    Warning

    If you're editing an existing SSL profile, any current Server Name value will be overwritten if you enter a value you here.

  13. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

  14. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

After saving, the certificate is pushed to the F5 profile that you specified, and a machine identity is created in the Machine Identities tab. If you created a new SSL profile, that profile is now ready to be assigned to a virtual server or https health monitor on the F5.

Microsoft IIS

  1. In the TLS Protect Cloud toolbar, click Machines.
  2. Click the checkbox next to the Microsoft IIS machine that you want to provision a certificate to.
  3. Click Provision a certificate. The Provision a certificate modal opens.

  4. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

    Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

  5. From the CAPI Store drop down, select the certificate store you want the certificate installed in. The Web Hosting store is recommended for certificates used by IIS.

  6. Enter a Friendly Name for this certificate. The certificate will appear with this name when used in IIS.
  7. (Optional) If you want to bind the certificate to the IIS website, toggle the Bind Certificate to IIS Web Site slider to the on position. In the IIS Web Site Name field, enter the site from your IIS server that you want to provision the certificate to.

  8. If you want TLS Protect Cloud to create a new binding if a matching binding isn't found, click the Create Binding if not found slider.

    What happens if I don't choose this and the binding doesn't exist?

    If the specified binding doesn't exist and you've told TLS Protect Cloud not to create it, the certificate will be added to the CAPI store, and provisioning will result in an error.

  9. In the Binding IP Address field, enter an IP address that is bound to Windows. The certificate will be available only for the IP address you enter here. Leave the field empty if you want the certificate to be available an all of the Windows server's IP addresses.

  10. In the Binding Port, enter a port number to add to the binding.
  11. In the Binding Hostname, enter a hostname to add to the binding if you want the binding to use Server Name Indication (SNI).
  12. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

  13. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

Common KeyStore

  1. In the TLS Protect Cloud toolbar, click Machines.
  2. Click the checkbox next to the Common KeyStore machine that you want to provision a certificate to.
  3. Click Provision a certificate.

  4. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

    Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

  5. From the KeyStore Type drop-down, select a type.

    1. Enter the Certificate Path, Private Key Path, and Certificate Chain Path values.
    2. In the Key Password field, enter the private key's password if it should be encrypted.
    3. In the Service Name field, enter the name of the service to restart after provisioning the certificate.
    4. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

    5. Click Save.

      Want to schedule your provisions?

      Schedule your provisions daily, weekly, or monthly. Learn more

    1. Enter the KeyStore Path, Alias, and Store Password values.

      Note

      Here, you will notice a toggle to append to JKS. If the toggle is enabled, and the file you entered in the KeyStore Path exists, you can append it to that file. If the toggle is disabled, a new file will be created with the KeyStore Path provided, or if the file already exists, it will be overwritten. In both cases, if the file already exists, a backup will be made first.

    2. In the Key Password field, enter the private key's password if it should be different than the Store Password.

    3. In the Service Name field, enter the name of the service to restart after provisioning the certificate.
    4. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

    5. Click Save.

      Want to schedule your provisions?

      Schedule your provisions daily, weekly, or monthly. Learn more

    1. Enter the KeyStore Path value.
    2. In the Key Password field, enter the private key's password.
    3. In the Service Name field, enter the name of the service to restart after provisioning the certificate.
    4. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

    5. Click Save.

      Want to schedule your provisions?

      Schedule your provisions daily, weekly, or monthly. Learn more

Citrix ADC

You can provision a certificate to an existing SSL server on your Citrix ADC, or you can use TLS Protect Cloud to create a new SSL virtual server setting. The steps below walk you through both scenarios.

  1. In the TLS Protect Cloud toolbar, click Machines.
  2. Click the checkbox next to the Citrix ADC machine that you want to provision a certificate to.
  3. Click Provision a certificate.

  4. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

    Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

  5. In Certificate Name, enter the name for this certificate as you want it to appear on your Citrix ADC.

    Note

    Each Certificate Name must be unique. A certificate with a duplicate Certificate Name will produce an error when attempting to provision.

  6. In Chain Bundle Name, enter the name for the CA certificate bundle as you want it to appear on your Citrix ADC.

    Note

    Each Chain Bundle Name must be unique. A certificate with a duplicate Chain Bundle Name will produce an error when attempting to provision.

  7. In the Partition field, enter a Citrix ADC partition name. This partition must already exist on the Citrix ADC. Leaving this field blank will default to the Citrix ADC's default partition.

    Note

    The partition name is case-sensitive.

  8. From the Endpoint Type drop-down, select either Virtual Server, Service, or Service Group, depending on the type of Citrix ADC profile you're provisioning to.

  9. In the Endpoint Name field, enter a Virtual Server, Service, or Service Group name. This can be either a name that is already in use on the Citrix ADC partition or a new name.

    What happens if the name is already in use?

    If the endpoint name you entered already exists in the Citrix ADC partition, then TLS Protect Cloud will provision the certificate to that endpoint type. Otherwise, TLS Protect Cloud creates an endpoint type using the name you enter here.

  10. In the SNI field, you can optionally enter an alternative DNS name for Server Name Indication.

  11. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

  12. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

After saving, the certificate is pushed to the Citrix ADC partition that you specified, and a machine identity is created in the Machine Identities tab. If you created a new profile, that profile is now ready to be assigned to a virtual server or HTTPS health monitor on the Citrix ADC.

Imperva WAF

You can provision a certificate to an existing SSL server on your Imperva WAF, or you can use TLS Protect Cloud to create a new SSL virtual server setting. Note, the virtual server must already exist and have a site id. The steps below walk you through both scenarios.

  1. In the TLS Protect Cloud toolbar, click Machines.
  2. Click the checkbox next to the Imperva WAF machine where you'll install the certificate.
  3. Click Provision a certificate.

  4. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

    Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

  5. In the Site ID field, enter the numeric identifier you will retrieve from your Imperva account.

  6. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

  7. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

After saving, the certificate is pushed to the Imperva WAF website that Imperva manages, and a machine identity is created in the Machine Identities tab.

VMware NSX Advanced Load Balancer (AVI)

  1. In the TLS Protect Cloud toolbar, click Machines.
  2. Click the checkbox next to the VMware NSX ALB (AVI) machine that you want to provision a certificate to.
  3. Click Provision a certificate.

  4. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

    Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

  5. In the Certificate Name field, enter the name for this certificate as you want it to appear on your VMware NSX ALB (AVI).

    What if the name is already in use on the VMware NSX ALB (AVI)?

    When provisioning a certificate to the VMware NSX ALB (AVI), TLS Protect Cloud checks to see if the name you enter in this field is already in use.

    • If the name you enter isn't in use, TLS Protect Cloud will use it.
    • If the name is in use, TLS Protect Cloud checks to see if it's the same certificate. If so, TLS Protect Cloud uses the certificate that is already on the VMware NSX ALB (AVI).
    • If the name is in use, but it's a different certificate, then TLS Protect Cloud creates a new certificate. A unique certificate name will be generated using a combination of the certificate name entered in this field, the expiration date from the certificate, and a unique numerical value, such as my-cert-name_22Oct05_3117.

  6. In Tenant field, enter the name of the tenant that the virtual service belongs to.

    Note

    The Tenant field is not a requirement. However, if the virtual service does not belong to the default admin tenant, you should specify it.

  7. In the Virtual Service field, enter the virtual server name you want to associate with the certificate.

  8. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

  9. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

After saving, the certificate is pushed to the VMware NSX ALB (AVI) tenant that you specified, the tenant's virtual service is updated to use that certificate, and a machine identity is created in the Machine Identities tab. If you created a new tenant, that tenant is now ready to be assigned to a virtual server or https health monitor on the VMware NSX ALB (AVI).

A10 Thunder ADC

  1. In the TLS Protect Cloud toolbar, click Machines.
  2. Click the checkbox next to the A10 Thunder ADC machine that you want to provision a certificate to.
  3. Click Provision a certificate.

  4. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

    Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

  5. In the Virtual Server Name field, enter the name for this certificate as you want it to appear on your A10 Thunder ADC.

    What if the name is already in use on the A10 Thunder ADC?

    When provisioning a certificate to the A10 Thunder ADC, TLS Protect Cloud checks to see if the name you enter in this field is already in use.

    • If the name you enter isn't in use, TLS Protect Cloud will use it.
    • If the name is in use, TLS Protect Cloud checks to see if it's the same certificate. If so, TLS Protect Cloud uses the certificate that is already on the A10 Thunder ADC.
    • If the name is in use, but it's a different certificate, then TLS Protect Cloud creates a new certificate. A unique certificate name will be generated using a combination of the certificate name entered in this field, the expiration date from the certificate, and a unique numerical value, such as my-cert-name_22Oct05_3117.

  6. In the Virtual Port Number field, enter your port number. Otherwise, the default port will be interpreted as 443.

  7. In the Virtual Port Protocol field, enter the port protocol. Otherwise, the default port protocol will be interpreted as HTTPS.

  8. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

  9. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

After saving, the certificate is pushed to the A10 Thunder ADC virtual server name that you specified, and a machine identity is created in the Machine Identities tab.

Batch Provisioning

Batch provisioning enables the simultaneous provisioning of multiple machine identities in a single operation.

  1. In the TLS Protect Cloud toolbar, click Installations and select Machines from the drop-down menu.
  2. Select the machine name that you want to perform a provision on.
  3. Click the Provision Now tab for the machine. This will provision all the machine identities associated with the machine.
  4. You will see a message below the machine name that indicates the date and time your provision was started. You must refresh the page to see if the provision is completed. This message will update to let you know when the provision is completed.

Note

You have the option to Abort Provisioning. If you wish to halt the provisioning process before completion, click this button. A message will appear indicating that batch provisioning has been aborted and may take some time to finalize.

Set up Machine Provision Schedule

  1. In the TLS Protect Cloud toolbar, click Installations and select Machines from the drop-down menu.
  2. Select the machine name that you want to perform a provision on.
  3. Click the Provisioning tab for the machine.
  4. Scroll to the bottom of the page and activate the Machine Provisioning Schedule by clicking toggle the toggle switch to turn it on.
  5. Under Repeat every, select your desired daily, weekly, or monthly schedule. Then, choose your desired time.
  6. Click Save.

Note

Current local time is in UTC.