If your company has Linux servers and/or desktop workstations, then you have plenty of SSH keys in use. This statement applies to logins for GitHub source code control and the management of Azure or Amazon Web Services (AWS) Linux hosts.
If your business has adopted Active Directory Certificate Services (AD CS) for user and device authentication, then you have a potentially large number of SSL certificates "floating around" your environment. This then continues for any public SSL certificates you use for public-facing web resources.
Today, I'll introduce you to ManageEngine's Key Manager Plus, a web-based key administration solution. The kernel idea here is that by discovering, auditing, and controlling your SSH keys and SSL certificates, you can:
- preempt security breaches due to key compromise
- pass audits for any security-related compliance certifications to which your business is subject
Installation and configuration
Begin by downloading the free 30-day, fully functional demo from the ManageEngine website. The installer is a single 74 MB file, and installs with no prerequisites. On my Windows Server 2016 member server, the installation took all of one minute.
Because this product makes use of open-source software, you can install Key Manager Plus on Windows Server, Windows Client, or Linux. See the system requirements for more details.
Key Manager Plus uses its own web server and PostgreSQL database, so you don't need to worry about IIS, SQL Server, or any other line-of-business app "heavy lifting." Hover over the notification area icon to retrieve the HTTPS web portal port; you can also start and stop the server from the Start menu shortcuts, as shown below.
Key Manager Plus assigns TCP port 6565 to the web server and TCP 53306 to the PostgreSQL database by default.
The default login credentials for Key Manager Plus are admin/admin; of course, you'll want to change them immediately. I show you the Key Manager Plus dashboard in the next screenshot. By the way, you can experiment with this tool without downloading it by accessing the free live demo portal.
As you can see, Key Manager Plus gives you a "single pane of glass" through which you can view the:
- upcoming SSL certificate expirations
- status of SSH key rotations
- strength of your key ciphers
- distribution of SSH keys throughout your enterprise
The SSH management workflow
The SSH key management process in Key Manager Plus consists of the following three steps, all of which you can perform in the web portal:
- Discover resources. You can detect SSH servers by specifying a hostname or IP address, IP address range, or delimited text file. Note that Key Manager Plus does not require an agent.
- Input user credentials. You can authenticate to your managed SSH servers as root to enumerate SSH user accounts.
- Create, rotate, and deploy keys. You can create new SSH keypairs and deploy them to SSH users.
The composite screenshot below shows you my detected Linux SSH server (A) and its enumerated SSH user accounts (B).
The Key Store is useful as a place to store and manage your various other encryption keys centrally. For example, you might add your Azure and AWS service encryption keys here as shown below.
The SSL management workflow
Key Manager Plus allows you to import X.509 digital certificates into its protected archive in three different ways:
- from an exported file
- by pasting the certificate contents directly
- by retrieving the certificate from the Key Manager Plus Key Store
The idea here is that not only can you organize the user and computer certificates you have in use, but you can audit them by viewing their history over their lifecycles.
Moreover, the Key Manager Plus interface enables you to create certificate signing requests (CSRs) for submission to public certificate authorities (CAs) and track the requests through their approval.
Key Manager Plus automates the acquisition, issue, deployment, reissue, renewal and revoking of SSL certificates through integration with Let's Encrypt:
Controls Certificate Signing Requests (CSRs): Centrally controls the certificate signing request process. Handles key-pair creation and provides ready-to-use CSR data files to be sent to Let's Encrypt CA for obtaining certificates. Generates periodic reports on certificate requests.
Handles Let's Encrypt challenge verification: Automatically fulfills the challenge verification process of Let's Encrypt to validate the domains.
Centralized inventory: Discovers and consolidates all SSL certificates in use in your environment in a centralized repository for easy access and management. Timely renewal: Constantly tracks certificates for expiry and ensures proper renewal of certificates from Let's Encrypt before the certificates expire.
Alerts and notifications: Raises timely alerts and sends appropriate notifications on certificate expiry. Generates exclusive reports for Let's Encrypt certificates.
ManageEngine Key Manager Plus has three product versions:
- Evaluation: Fully functional, 30-day demo. Product converts to the Free version after 30 days.
- Free: Valid forever and can manage up to five keys (with "keys" defined as SSH private keys, SSL certificates, or other security credentials located in the Key Store).
- Registered: License price is based on how many managed keys you have.
To learn more about ManageEngine Key Manager Plus, you can:
Subscribe to 4sysops newsletter!
- download the product demo
- try the live admin portal
- read the documentation
- explore the Key Manager Plus RESTful API
- request a price quote from ManageEngine
Overall, I'd say that Key Manager Plus is a good fit for businesses with a significant investment in public key infrastructure (PKI) and/or open-source software, those who embrace security, or those who may be under security compliance requirements.