Manage SSL certificates using the UI

You can now use the Advanced Identity Cloud admin UI to generate CSRs and upload SSL certificates in your sandbox tenant environments.

Manage CSRs and certificates

The Advanced Identity Cloud admin UI lets you manage your own CSRs and certificates using SSL configurations. There are broadly two types of SSL configuration:

Pending: The SSL configuration has been used to generate a private key and a CSR, but hasn’t been updated with a certificate yet.
Complete: The SSL configuration has been successfully updated with a certificate.

To manage SSL configurations:

In the Advanced Identity Cloud admin UI, open the TENANT menu (upper right), then go to settings Tenant Settings > Global Settings > SSL Configurations.
The SSL Configurations page lists any SSL configurations, including any created using the API:
- Pending SSL configurations display a Pending status and an Add Certificate button.
- Complete SSL configurations display an Active, Inactive, Expires Soon, or Expired status and a certificate expiration date.
To create a new SSL configuration and CSR, follow the instructions in Step 1: Create a CSR.
Review any pending SSL configurations:
- To continue the set up of a certificate using a pending SSL configuration, follow the instructions in:
  - Step 2: Generate a signed certificate and create a certificate chain
  - Step 3: Install the certificate
- To delete a pending SSL configuration:
  1. Click its delete icon (delete)
  2. In the Delete SSL Configuration? modal, click Delete.
Review any complete SSL configurations:
- To renew a certificate:
  1. Click the SSL configuration’s ellipsis icon (more_horiz), then click refresh Renew or list_alt View Details > Renew.
  2. Follow the instructions in Step 1: Create a CSR.
- To view information about a certificate:
  1. Click the SSL configuration’s ellipsis icon (more_horiz), then click list_alt View Details.
  2. The Certificate Details modal displays basic information about the certificate:
    
    Valid From: The valid-from date of the certificate.
    
    Expires: The expiration date of the certificate.
    
    Status: The status of the certificate (Active, Inactive, Expires Soon, or Expired).
    
    Domains: The domains secured by the certificate.
    
    Created: The creation date of the certificate’s CSR (only shown for tenant-generated CSRs).
- To activate or deactivate a certificate:
  - To activate an inactive certificate, click the SSL configuration’s ellipsis icon (more_horiz), then click power_settings_new Activate.
  - To deactivate an active certificate, click the SSL configuration’s ellipsis icon (more_horiz), then click power_settings_new Deactivate.
    
    It takes a few minutes for a certificate to be activated or deactivated in the environment’s load balancer.
- To delete a certificate:
  1. Click the SSL configuration’s ellipsis icon (more_horiz), then click deleteDelete.
  2. In the Delete SSL Configuration? modal, click Delete.

Create a certificate using the UI

You can create certificates using a private key the tenant generates for you and which is retained in the tenant. The benefit of this approach is there is no risk of accidentally leaking your private key as it never leaves the tenant. However, with this approach, you can only install a signed certificate on the same tenant from which you requested the CSR.

The UI supports creating a certificate only using a tenant-generated private key. To create a certificate using your own private key, use the API. Learn more in Create a certificate using a locally generated private key.

Step 1: Create a CSR

In this step, you create a certificate signing request (CSR). You’ll need this in the next step to create a self-signed certificate or to send to your preferred SSL certificate provider to create a CA-signed certificate.

In the Advanced Identity Cloud admin UI, open the TENANT menu (upper right), then go to settings Tenant Settings > Global Settings > SSL Configurations.
Click add New SSL Configuration.
In the New SSL Configuration modal:

For CSR field definitions, learn more in CSR field reference.
1. Enter a Primary Domain (CN).
2. (Optional) Add Subject Alternative Domains (SANs):
  1. Click the add button located to the right of the Primary Domain (CN) field to add a Subject Alternative Domain (SAN) field.
  2. Enter a SAN in the new field.
  3. Repeat the previous two steps to add as many SANs as you need.
3. Enter an Organization and a Country.
4. Select an Encryption Algorithm from RSA (default) or ECDSA.
5. (Optional) Add additional CSR fields:
  1. Click Show additional settings to display additional CSR fields.
  2. (Optional) Select Extended Validation Certificate if you intend to request an Extended Validation (EV) certificate from your preferred SSL certificate provider. When Extended Validation Certificate is selected, these additional CSR fields become mandatory:
    
    Jurisdiction City
    
    Jurisdiction Country
    
    Jurisdiction State
    
    Serial Number
    
    Business Category
  3. Enter as many additional CSR field values as you need, and if you checked Extended Validation Certificate in the previous step, enter the mandatory CSR field values.
6. Click Generate Certificate Signing Request. The New SSL Configuration modal closes and a success modal opens.
In the success modal:
1. Click the copy button (copy) to copy the CSR content in the Certificate Signing Request field to your clipboard.
2. Transfer the CSR content in the clipboard to somewhere safe until you use it in the next step to create a certificate.
  
  When you close the modal, the CSR content is not available again.
3. Click Done to close the modal.
Confirm the new pending SSL configuration is in the list of SSL configurations.

Step 2: Generate a signed certificate and create a certificate chain

In this step, you create a CA-signed or self-signed certificate, then create a PEM-formatted certificate chain.

Create a certificate from the CSR in one of these ways:
- CA-signed certificate:
  Supply the CSR to your preferred SSL certificate provider so they can generate a CA-signed certificate. Your SSL certificate provider should provide you with a signed certificate and a CA certificate. They may also provide intermediary certificates.
- Self-signed certificate:
  Use OpenSSL to create a custom CA certificate and a self-signed certificate.
Combine your signed certificate and CA certificate into a certificate chain and save it in the local file chain.pem. If you used an SSL certificate provider, add any intermediary certificates into chain.pem too, inserted between your signed certificate and the CA certificate:
```
$ cat cert.pem [inter.cert.pem ...] ca.cert.pem > chain.pem
```
The following is an example of what the certificate chain might look like:
```
-----BEGIN CERTIFICATE-----
content of your signed certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
content of an optional intermediate CA certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
content of a CA certificate
-----END CERTIFICATE-----
```

Step 3: Install the certificate

In this step, you install the certificate in the tenant environment where you created the CSR request.

In the Advanced Identity Cloud admin UI, open the TENANT menu (upper right), then go to settings Tenant Settings > Global Settings > SSL Configurations.
Find the pending SSL configuration that generated your CSR, then click add Add Certificate.
In the Add Certificate modal:
1. Enter the certificate chain using one of these options:
  - Click Browse to select a local file that contains the certificate chain.
  - Paste the certificate chain content directly into the text field.
2. Click Add Certificate.
Confirm the SSL configuration is now fully configured and active.

It takes a few minutes for the certificate to be installed and activated in the environment’s load balancer.