Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2017-09-21 14:00:33.0

Migration: How to Migrate from one Certification Authority to another

Article Number: 70985

User-added image

This article provides guidance on how to migrate your certificates to Entrust Certificate Services from a different Certification Authority. Not an Entrust Certificate Services user? Learn more here.

For more information on Certificate Migration, please consult our white paper "Seven Tough Questions Every Brand Should Ask Before Switching Certification Authorities (CAs)"

1. How to find digital certificates in your network using Entrust Discovery
2. How to use Certificate Transparency (CT) search to discover certificates issued for your domains
3. How to migrate your digital certificates from your current Certification Authority to Entrust Certificate Services ?
4. How to auto-deploy certificate renewals
5. How to manage your certificates on one dashboard with Entrust Certificate Services
6. How to monitor your certificates, life cycle management, reporting and server security
*Migration Checklist


How to find digital certificates in your network using Entrust Discovery 

Discovery Agent software is designed to scan specific portions of your network for certificates and retrieve detailed information about each SSL/TLS certificate.

Discovery Agents use a Web-based interface, allowing remote access by administrators. Scans are configured separately on each agent. After a scan is created, it can be saved and reused, either on a schedule, or started manually by an administrator for occasional use.

Discovery Agents can be configured to:
  • scan a specific IP address or range of IP addresses
  • exclude specific IP addresses or ranges of IP addresses
  • scan a specific port or ranges of ports
  • run a scan as required (manually) or run a scheduled scan on an hourly, daily, weekly, or monthly basis
  • transfer detailed certificate data from each scan to Certificate Services, either automatically or by packaging it and importing the information

Discovery Agent software is available from Help > Software Downloads.

See your Entrust Discovery Agent guide available in your ECS Enterprise account (Help > Online Help) for Instructions concerning installation and configuration.

How to use Certificate Transparency (CT) search to discover certificates issued for your domains.

Certificate Transparency (CT) gives organizations an opportunity to review certificates that have been issued using their domain.  This central repository is CA-neutral and available to all compliant CAs to log the SSL/TLS certificates that have been issued by them.

?EV certificates are automatically added to Certificate Transparency logs to conform with Google's security requirements. Non-EV certificates are not added by default, however you can add them by going to Administration > Advanced Settings and then following the steps outlined below.

Entrust Datacard gives our Entrust Certificate Services customers the option to add their OV SSL certificates to the public CT logs through a setting in your Certificate Services console.  Here are some things to consider before recording OV certificates to the CT logs.

To add non-EV certificates to Certificate Transparency logs:
1. From the main menu, select Administration > Advanced Settings.
2. From the left menu tree, select CT Logging.
3. Select Send OV SSL certificates to Certificate Transparency logs.

How to migrate your digital certificates from your current Certification Authority to Entrust Certificate Services ?

There are two stages to be aware of when migrating your certificates:
(1) Account set up (Verification of organization, domains and clients)
(2) Certificate migration

(1) Account set up (Verification of organization, domains and clients)
The verification of your organization (o=), domain names (dn=), clients (managed clients) and administrators must take place before certificate inventory can be migrated. Logically, you must have your account set up to migrate your certificates, however, this can be done seamlessly with the proper planning and execution.

See our white paper on seven key questions you should ask when it comes to migrating. This will help you prepare for the administrative process associated to migrating certificates that is often overlooked in the planning process.

(2) Certificate migration

Importing Certificates from CT Log
You can configure your Certificate Transparency import filter to import selected certificates from the list of
certificates and precertificates displayed in the Certificate Transparency log. This page allows you to create a filter for the import tool. Certificate import is activated on demand from the Certificates > Unmanaged Certificates pages, importing the certificates that match the selected filter criteria. Imported certificates are treated like any other imported certificate. Foreign Certificates can be managed from the Foreign Certificates page, remain in the list, or be removed.

Step 1: Configure a Certificate Transparency import filter
1. From the main menu, select Administration > Advanced Settings > CT Log Import.
2. Click Add.
3. Select the type of filter. (Domain is the only one that is currently available).
4. Enter the enter the Search Term (example.com, for example).
5. Click OK.
The search term is added to the list.

Step 2: Run the CT log import tool
1. Select  Certificates > Unmanaged Certificates.
2. On either the New Certificates or Ignored Certificates tab, click Run CT Import.
3. The Run CT Import button is greyed out while the scan runs.
4. When the scan finishes, the button returns to black and the date and time of the scan is recorded in the Run CT Import button's mouse-over text.  If the search is successful, any new certificates found by the search appear in the New Certificates page.

Importing certificates discovered by Discovery Tool
The below steps explain how to manually import certificates discovered by the Discovery Tools. For more information on automated processes available with the Discovery Tool, please see our guide here.

To import a Discovery Agent scan:
1. Before you begin, in Discovery Agent, ensure you have a scan ready, and that you have downloaded it. The scan downloads in a ZIP file. If there are multiple scans available, they all download into a single ZIP file.
2. In Certificate Services, click Create > Import Discovery Agent Scan Results.
3. Browse to the ZIP file created by the Discovery Agent.
4.  Click Import.
5. Certificate Services checks that the ZIP file is valid and was created by one of the Agents managed by your Certificate Services account. It then imports the scan results. Certificate Services displays the name of the scan (configured in the Discovery Agent), date and time that the file was created, number of locations scanned and number of certificates found are displayed.
6. New certificates appear in the Unmanaged Certificates grid.
You have now imported a Discovery Agent scan.

Importing certificates manually
Certificate Services allows Super Administrators to add certificates to their account either by uploading a file (or files) in .cer, .cert, .pfx, or .p7b format or by copying the contents of a PEM formatted certificate file into the import page. The PEM formatted file can include all certificates in the certificate chain. Entrust and non-Entrust certificates are accepted although only certificates from Certificate Services can be managed. New imported certificates are unmanaged by default. To view the certificates that you import, from the main menu, select Certificates > Unmanaged  Certificates.

To upload certificate files
1. In the main menu, select Create > Import Certificates.
2. On the File Import tab, click Select files and browse to the location of the certificate files.
3. Select one of more certificate files to upload. You can select multiple files.
4. The certificates appear in the page. If a certificate is not in an accepted format, Certificate Services generates an error message.
5. To delete a certificate from the list, click X at the end of the row.
6. To accept and import the certificate or certificates, click Import.

To copy and paste a PEM formatted certificate into Certificate Services
1. Click Create > Import Certificates.
2. Select the PEM Formatted Import tab.
3. Open the file containing the PEM formatted certificate or certificate chain in a text editor.
4.  Copy the entire certificate including the *****BEGIN CERTIFICATE***** and *****END CERTIFICATE**** lines into the field provided on the Certificate Services page. If you are importing a certificate chain you can include all of the certificates in the chain.
5.  Click Import.
6. Certificate Services checks the contents of the certificate and imports the certificate if it is correct. A success or error message appears.

How to auto-deploy certificate renewals

Entrust Turbo
Note: Microsoft Internet Information Services must be installed and a working Web site configured, before installing Entrust Turbo.

Entrust Turbo is a small client application that installs on the machine where the certificate will be used. The feature works as follows:

In Certificate Services, the administrator requests a certificate in the usual way but instead of creating a CSR and pasting it into the request for a certificate, simply selects "Use Entrust Turbo" and enters the domain of the CN as indicated. Certificates requested using the eForm can be approved or declined by administrators (as with other certificates).d a Discovery Agent scan.

For more information on how to set up Entrust Turbo and auto-deploy certificates, please go to Help>Online Help.

Entrust ACME
Note: If you want to auto-generate and install into Microsoft IIS, use Entrust Turbo instead.

ACME is an open protocol that is used to request and manage SSL certificates. Entrust supports ACME to enable the auto-generation and installation of our SSL certificates onto Web servers on Linux and UNIX operating systems. Auto-generation and installation is much quicker and easier than having an administrator perform these tasks manually.

Entrust's ACME implementation consists of two parts:
?  An ACME server (CA). This server runs in Entrust's data center. No setup is required.
?  An ACME client. This client runs on the computer that needs the certificate. A setup is required, and is explained in Help>Online Help.

How to manage your certificates on one dashboard with Entrust Certificate Services

The Certificate Services Dashboards page provides an overview of your certificates and system. This include various widgets that you can show or hide, such as:
? Actions widget
? Certificates by Issuer widget
? Entrust Alerts widget
? EV SSL Certificate Usage widget
? Expiring Certificates widget
? Expiring Inventory widget
? Inventory Usage widget
? My Alerts widget
? Signature Hash Values widget
? SSL Server Ratings widget

You can also create customized tabs to enable custom views configured for specific purposes.

Learn more by going to Help>Online Help.

How to monitor your certificates, life cycle management, reporting and server security

A report is a listing or count of information in your database that meets certain search criteria. For example, you might have a report that lists all certificates that are close to expiry, and another one that provides a count of these certificates. A report can be displayed in table format or in a graphic, and can be viewed on-screen or output to a file.

Entrust supplies default reports that are designed for general use. Administrators are able to modify these reports or create new Certificate Services reports that reflect the type and amount of information that they need. Reports created by Super Administrators can be personal (viewable only be the creator) or global (viewable by a wider audience). If they are global, the creator of the report can determine if they are viewable by Sub Administrators as well as Super Administrators. Reports created by Sub Administrators are always personal.

You can sort reports by:
? Scope (System, Global, or Personal)
? Category (the type of report)
? Type (Policy Violation, Best Practice, General Alert, or Standard)
? View (Audit, Certificate, Certificate Requests, Domain, Inventory, Purchases, or Sites)

*The Entrust SSL Server Test looks at a number factors related to your SSL server configuration and returns a rating reflecting its security. The ratings range from A+ (highest) to Error (lowest). The detailed report shows the information recovered and how the rating was derived. The report includes:

? Server key and certificate information (expiry date, key type, algorithm,  validation type, revocation status, certification paths)
? Configuration information (protocols,  cipher suites,  handshake simulation, protocol details (for example, vulnerability to BEAST, POODLE, or heartbleed))
? Miscellaneous information such as statistics about the test and the server host name

Migration Checklist

Migration Checklist
 
ActionCustomerEntrust Datacard
Setup POC
 
xx
Provide Domain List (using CT search and Discovery)
 
x 
Provide Company Name List
 
x 
Validate Domains
 
 x
Validate Company Names
 
 x
Admins & Roles List
 
x 
Validate Admins
 
 x
Delegation Setup
 
xx
Inform SSL Subscribers of CA Migrationx 
Distribute Intermediate Certificates for New CA Hierarchyx 
Maintain List of Certificates to be Migrated
 
x 
Establish Policies (e.g., certificate expiry notifications,  recipients, and escalation procedures)x 
Create Customized Certificate Request & Approval Workflow (eForms)
 
xx
Venafi Integration
 
xx
ServiceNow Integration
 
xx
Training
 
 x

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance: 

Hours of Operation: 
Sunday 8:00 PM ET to Friday 8:00 PM ET 
North America (toll free): 1-866-267-9297 
Outside North America: 1-613-270-2680 (or see the list here)

Affected Products:

  • Entrust Entelligence Messaging Server 8.0 English Linux
  • Entrust Entelligence Messaging Server 8.0.1 English Linux
  • Entrust Entelligence Messaging Server 8.1 English Linux