The certificate repository is used to store keys and certificates (including intermediate and root certs). The system supports the import of PEM formatted certificates and keys from file or by pasting the PEM encoded certificate/key. The import function supports the import of multiple certificates (for example, a certificate and associated root and intermediated certs) in a single operation. Private keys can also be included in the import file.

It is not possible to import a private key unless there is an associated server certificate in the import file/paste or if the associated server certificate is already in the repository. If you attempt to import a certificate that already exists (based on checksum and subject key identifier), the system will quietly ignore the import but highlight the certificate after import. If you attempt to import a certificate that already exists (based on the subject key identifier), the system will check if the valid-from date on the certificate being imported is later than the existing cert before replacing it.

You can have multiple certificates with the same Common Name (CN). To uniquely identify a certificate, use the subject key identifier or the description. The description allows users to provide custom text to describe the certificate. This is useful to identify entries if the CN is used multiple times.

To view where any certificate is deployed, select the certificate and click the Usage tab. This page has a filterable list of all LoadMaster instances where the certificate is deployed and the application profile for the deployment.

Private Key Security

All imported private keys are stored as password protected key files and a password must be provided for every private key imported. This password, known as the ‘Deployment Password’, will be required at deployment to decrypt the private key.

If you do not want to store the private key on Kemp 360 Central, you can import server certificates without an associated key and the system will prompt for the key file at deployment time.

Certificate Management

You can quickly locate certificates using the filter or you can select the widgets at the top of the screen to quickly identify certificates that have expired, are due to expire within 30 days, are due to expire within 90 days, and due to expire in 90 days or greater.

To view a certificate, go to the ACTIONS column, hover over the relevant ellipsis and click View. On the left hand pane, a tree appears showing how this certificate occurs in the certificate chain. If you add another certificate in this chain, it updates the hierarchy immediately to show where this new certificate sits.