With API Management Integration

This document will guide you through the process of integrating the Azure API Management service with AppViewX, providing detailed steps, configuration guidelines, and automation techniques.

Microsoft Azure API Management

The API Management service helps create, manage, secure, and monitor APIs. It provides a centralized platform for API publishers to control their APIs, while enabling developers to consume them in a secure and efficient manner.

Its key features include:

API Gateway that routes all incoming requests to the appropriate backend services
Developer Portal that can be customized to help developers discover and access APIs
API versioning with revision tracking
Authentication and authorization mechanisms for secure access control to APIs
Rate limiting and throttling to protect backend services from excessive or abusive traffic
Analytics and monitoring
Policy Engine to implement additional logic at the API Gateway

Prerequisites for Onboarding Azure API Management Settings in AppViewX

Ensure that a API management instance is created in your Microsoft Azure account. For link(s) to the corresponding Microsoft Azure documentation, click here.
If credentials for onboarding have to be fetched from a credential list in CyberArk:
- Ensure that your Microsoft Azure access credentials are saved in your CyberArk account. For instructions on creating Azure access details in the CyberArk account , refer to the documentation here.
- Ensure that CyberArk is integrated with AppViewX and a credential list is created. For instructions, refer to the documentation here.
For using the Managed Identity credential type, ensure the following requirements are met:
- The AppViewX Cloud Connector (CC) is installed on the target Azure VM.
- A user-assigned or system-assigned Managed Identity is associated with the Azure VM.
- Strict routing is enabled for the corresponding data center to ensure secure and consistent communication.
  For links to the complete Microsoft Azure documentation on configuring managed identities for Azure VMs, see the References section.

Permissions Required

{
    "properties": {
        "roleName": "AppViewX_APIMngmnt_Permission",
        "description": "",
        "assignableScopes": [
            "/subscriptions/000-000-000-0000-000"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.ApiManagement/service/certificates/read",
                    "Microsoft.ApiManagement/service/certificates/write",
                    "Microsoft.ApiManagement/service/certificates/delete",
                    "Microsoft.ApiManagement/service/certificates/refreshSecret/action"
                    "Microsoft.ApiManagement/service/read",
                    Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
 }

Onboarding Azure Settings in AppViewX for API Management

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
The Device :: ADC page is displayed.
From the Device :: ADC page, select Cloud.
On the Device :: Cloud page, click (Add).
The Device :: Cloud > Add page is displayed.
On the Device :: Cloud > Add page, from the list of Vendors, select Azure.

Enter/Select the Basic information.

Table 1. Field description for the Basic Information section
Field	Description
Configure Government Cloud	To configure Azure Government Cloud for this Microsoft Azure, turn on the Configure Government Cloud toggle. Azure Government Cloud is a specialized cloud computing platform provided by Microsoft, designed specifically for U.S. government agencies and their partners. While it offers the same core services as the commercial Microsoft Azure cloud, it offers additional complaince, security, and regulatory controls configured to meet the stringent security requirements of its primary use cases.
*Country	From the dropdown list, select the country for which the Azure Government Cloud is being configured. Important: In the current implementation, the Azure Government Cloud configuration is supported only for the United States, to serve the U.S. government agencies and their partners with data residency, operations, and complaince as per the U.S. regulations.
*Account Type	From the dropdown list, select one of the following values: Single Subscription Multi Subscription To understand the subscription types and the difference between them, click here.
*Account Name	Enter the customer’s unique account name. Constraints: A duplicate account name should not exist in the cloud inventory. The account name should include only alphanumeric and period (.) characters.
Description	Enter a description of the device to be added.
*Data center	From the dropdown list, select the data center through which communication with the Certificate Authority will be established.
Proxy required	To use a proxy server for the communication, select this checkbox. Proxy settings configured in the Platform module will be used for communication. To read more on how proxy settings are configured and managed, click here.
*: Mandatory fields

Enter/Select the Credential Details.

Table 2. Field description for the Credential Details section
Field	Description
*Credential type	From the dropdown list, from the following options, select the authentication method that will be used for integrating Microsoft Azure with AppViewX: Manual Entry: The required credentials will be entered manually. Credential List - CyberArk: The required credentials will be retrieved from CyberArk, a Privileged Access Management (PAM) solution. Managed Identity : [Read the Managed Identity prerequisites given above.] An Azure-assigned Managed Identity is used for Azure Active Directory (Azure AD) authentication, fetching tokens automatically without storing credentials in AppViewX. Managed Identity is an Azure-generated identity that allows resources to authenticate to Azure AD-protected services without storing credentials. At this time, the Managed Identity credential is not supported for an Azure Government Cloud environment. Certificate Authentication: To use a X.509 certificate for authentication (instead of a client secret or password), from the dropdown list, select Certificate Authentication. From the certificate and key file uploaded in the Certificate and Key field, a JWT token is generated . The Json Web Token is a digitally signed token containing the details needed to authenticate and authorize a user or application. Certificate authentication using a JWT token is strongly recommended owing to stronger security, low risk of leakage, and better certificate expiry management due to long lived certificates.
*Tenant ID	Enter the unique identifier (GUID) of your Azure Active Directory Tenant.
Managed Identity Type	This field is displayed only when Credential type = Managed Identity. From the dropdown list, from the following options, select how Managed Identity is provisioned and managed for the resource to be onboarded: User Managed: Use when you need a standalone identity that can be assigned to one or more Azure resources and managed independently. System Managed: Use when you want Azure to automatically create and manage an identity that is tied to a single resource’s lifecycle.
*Client ID	Enter your Azure client ID (application ID). For Credential type = Managed Identity, this field is displayed only when Managed Identity Type = User Managed. In this case, enter the Client ID of the user-assigned managed identity linked to your Azure resource.
*Client secret	Enter your Azure client secret key.
*Credential name	This field is displayed only when Credential type = Credential List - CyberArk. From the dropdown list, select the CyberArk account with the Microsoft Azure credentials that will be used for onboarding the Azure account in AppViewX. The options listed in this dropdown list are the existing CyberArk accounts integrated with AppViewX. For instructions on integrating CyberArk with AppViewX, click here.
*Certificate and Key	This field is displayed only when Credential type = Certificate Authentication. To upload the certificate file that will be used for generating the JWT token: Click Upload. Navigate to the location of the certificate file. Select the file for upload and click Open. In the Authentication Details dialog box, in the *Enter Password field, enter the certificate key. Click Ok.
*: Mandatory fields

To validate the credential details entered above, click Validate Credential.
Note: The option to Validate Credential is displayed only for a multi subscription account type.
Access to the Discover Resources section is enabled only after the credentials have been validated.

Enter/Select the details needed to Discover Resources.

Table 3. Field description for the Discover Resources section
Field	Description
*Services	From the dropdown list, select Api Management to map the service to the Azure setting.
Subscription ID	Note: This field is displayed only when Account Type = Single Subscription. Enter the unique identified (GUID) of your Azure subscription.
Subscription Onboarding State	Subscription onboarding refers to integrating an Azure subscription with AppViewX. You can choose to onboard all subscriptions at once or onboard only selected ones. From the following options, select a state for onboarding subscriptions discovered from the Azure organization: Managed: Enables subscription onboarding, allowing Azure cloud resource and certificate discovery instantly Unmanaged: Disables subscription onboarding, preventing resource and certificate discovery for these projects. After you have fetched all subscriptions belonging to these projects, you can select individual subscriptions for onboarding, as explained here.
Auto Sync	To enable/disable automatic synchronization of the AppViewX inventory with your Azure cloud infrastructure , use the Auto Sync key. On enabling auto sync, the Schedule Based checkbox is displayed
Schedule Based	To specify a schedule for the auto sync: Click the icon. The Schedule Based Sync window is displayed. In the General Information section, enter the details of the sync schedule. Field descriptions for the General Information section
*: Mandatory fields

Table 4. Field descriptions for the General Information section
Field	Description
*Frequency of Sync	Set the sync frequency using the two dropdown lists for this field. For example, to set the frequency to 1 day: From the first dropdown list, select 1. From the second dropdown list, select Days.
Advance Settings	To set the sync frequency for a specific service: Enable the Advance Settings key. The Auto Sync Services section is displayed. The services selected for this setting (in the Services field under Discover Resources) are listed in this section. To set the frequency for a specific service(s), select the corresponding checkbox. The Service Specific Parameters section is displayed with the Frequency of Sync field displayed for each selected service. Enter the details of the sync schedule and click Apply. The sync frequency is applied to the selected services. Note: If a service is not selected, the Frequency of Sync set in the General Information section is applied to all services in a setting.

For a multi subscription account, after specifying the details for resource discovery, click Fetch Subscriptions.
1. From the subscriptions table, select the checkbox corresponding to the subscription(s) you want to manage.
2. From the Actions dropdown menu, select Manage.
From Additional attributes, for the Api Management service, from the following options, select the user permission for Cert sync:
- Managed: AppViewX will connect with the customer’s Azure account and discover certificates. These certificates will be added to the inventory. Users with the relevant permissions can then perform the required certificate-related actions.
- Monitored: AppViewX will connect with the customer’s Azure account and discover certificates. These certificates will be added to the inventory where the users will be allowed to only view the certificates.
- Ignored: AppViewX will connect with the customer’s Azure account but certificate discovery will be disabled.
Click Save.
Return to the Device :: Cloud page.
From the table of added devices displayed on the Device :: Cloud page, from the Status column, click Check.
The status of the added device is displayed.
To view the certificates, go to (Menu) > CERT+ > CERTIFICATE INVENTORY and select the required certificate type.

Onboarding Certificates for Microsoft Azure Devices in AppViewX

There are two ways you can onboard certificates in AppViewX:

Via certificate discovery, for existing certificates
Via certificate enrollment, for new certifcates

Discovering Certificates for Microsoft Azure Resources

Go to (Menu) > CERT+ > CERTIFICATE DISCOVERY > Discovery > Cloud Scan.
The Discovery : Cloud Scan : Add Discovery page is displayed.

To initiate a cloud certificate discovery scan, enter/select the Discover Details.

To specify the frequency at which the certificate discovery scan will be triggered, select the Discovery Run Type.

Table 5. Discovery run type options
Frequency Type	Description
On-demand	Cloud certificate discovery scan istriggered manually by the user as and when required.
Scheduled	Cloud certificate discovery scan is triggered automatically at the specified time and date.

Enter/Select the details for initiating an on-demand cloud certificate discovery scan.

Table 6. Field descriptions for **on-demand** discovery
Frequency Type	Description
Discovery Instance Name	Enter a name for the discovery instance.
Description	Enter additional details related to the discovery option. Note: Character limit: 2000 characters

Enter/Select the details for initiating a scheduled cloud certificate discovery scan.

Table 7. Field descriptions for **scheduled** discovery
Frequency Type	Description
Discovery Instance Name	Enter a name for the discovery instance.
Description	Enter additional details related to the discovery option. Note: Character limit: 2000 characters
Occurrence Type	From the dropdown list, from the following options, select an occurrence frequency: Daily Weekly Monthly Yearly
*Repeat On	Note: This field is displayed only when Occurrence Type = Weekly. Select the checkbox corresponding to the day of the week on which you want the discovery occurrence to repeat.
*Starts On	Click (Calendar widget) to select a date to start the scheduled discovery.
*Ends	From the following options, select when the scheduled discovery is to end: Never: Discovery never stops. After: Discovery stops after the number of occurrences specified in the text field. On: Discovery stops on the date selected using (Calendar widget)
Summary	Displays a summary of the selections made for scheduled discovery
*: Mandatory fields

To filter the discovered certificates, enter/select the Discover By details.

Table 8. Field descriptions for the Discover By section
Field	Description
*Discovery From	From the dropdown list, select Cloud (the source to discover a certificate from).
*Vendor	From the dropdown list, select Azure.
Discovery Scope	Select the Azure environment scope (range/boundary) within which the certificate discovery process will operate. Azure Settings Azure settings are configurable parameters that define the behavior of the resources within a subscription. Azure Subscriptions Azure subscriptions are logical containers that consitute the Azure services and resources, identified based on a customer's agreement with Microsoft.
Enable Service Specific Discovery	Note: This field is displayed only when Discovery Scope = Azure Subscriptions. To filter discovery results based on the services under each subscription mapped to a service, turn on the Enable Service Specific Discovery option. If this field is disabled, the discovery scope will include all the services within a subscription that is mapped to a setting.
*Selected Resources	To search for a resource: (Optional) In the Type your search and press Enter field, enter a search keyword to filter the list of resources. To make your search more specific: From the Type your search and press Enter field, click . Enter/Select values for one or more of the following parameters: Azure Settings Subscription ID Tenant ID Resource Type In the Condition field: To get search results that meet all your specified criteria, select AND. To get results that meet at least one (or more) of your specified criteria, select OR. From the search results, select the checkbox corresponding to the required resource. To add an existing resource to the list: Click . From the Add Accounts dialog box, select the checkbox corresponding to the required resource(s). Click Add Selected. Note: The Add Selected button is enabled after at least one resource is selected. To delete a resource from the list: Select the checkbox corresponding to the resource you want to delete. From the Action field, click . OR Click . Note: To delete multiple resources at once: Select the checkboxes for the resources to be deleted. Click .
Execute Batches Sequentially	To execute the discovery operation on the specified batches sequentially, select this checkbox.
*Interval Between Batches	If Execute Batches Sequentially is selected, enter a interval duration (in minutes) in this field. The sequential execution of the batches is spaced according to the interval value entered hee.
*: Mandatory fields

In the Discovery Rules section, from the Associate Rule dropdown list, select a rule that will be used to filter the discovered certificates.
A setof filters is combined to create a rule, from the Rules menu. The selection of rules will apply respective filters on discovered certificates.

In the After Discover section, enter/select the following details:

Table 9. Field descriptions for the After Discover section
Field	Description
*Move Certificate to Inventory with Status	Select one from the following options: Do not move: The newly discovered certificates and their objects will not be moved to the inventory. Managed: The newly discovered certificates and their objects will be moved to the inventory with the status set to Managed. Monitored: The newly discovered certificates and their objects will be moved to the inventory with the status set to Monitored.
Use Access Control Rule	To apply the rule configured using Access Control, select this checkbox. Note: If this checkbox is enabled, the certificate group will be associated automatically by the rule in access control.
*Certificate Group	From the dropdown list, select a certificate group to which the discovered certificates will be associated. Based on the group association, a policy will also be applied to these certificates, which will help ascertain compliance or non-compliance.
*: Mandatory fields

Click Discover/Schedule to trigger the on-demand/scheduled discovery, respectively.
Once the certificates are discovered, you can view them in the certificate inventory.
To automate the certificate lifecycle management for the discovered certificates, you can enable auto regeneration of certificates, auto renewal of certificates, and auto push of certificates to endpoints.

Enrolling Certificates

Enrolling a Server Certificate

Prerequisites

[For Linux-based vendor] OpenSSL is used to generate a private key and a Certificate Signing Request (CSR) as part of the endpoint enrollment process. Ensure that OpenSSL is installed and properly configured on the system before proceeding.

Enrolling a Server Certificate

Server certificate enrollment refers to the process ofcreating a digital ID for an application/web server hosted in the network. It starts with the generation of a key pair (private and public key) and CSR, and then submitting the CSR to the required CA to procure a certificate. CERT+ supports the generation of keypair on the device, HSM, AppViewX. Users can also upload the CSR for enrolling for a digital certificate.

To enroll a server certificate:

Go to (Menu) > CERT+ > CERTIFICATE ACTION > Enroll Certificate > Server
The Enroll Server Certificate page is displayed.
In the General Information section, from the dropdown list, select the required Assign Group.

Enter the CA Details.

Table 10. Field descriptions for the CA Details section
Field	Description
*Certificate Authority	From the dropdown list, select the certificate authority to request the certificate enrollment. Note: The IDnomic CA can be used for issuing certificates only in an on-prem deployment. Certificates issued through IDnomic CA can be renewed only if they are enrolled using a Registration Authority workflow.
*Renew Automatically	Note: If the Override feature is enabled for the certificate group selected from the Assign Group dropdown list, auto renew settings done in the enrollment page will be overwritten by the group level settings. If Regenerate Automatically has been enabled for the selected certificate group, the Renew Automatically field is not displayed here. To automatically renew this certificate: Turn on the Renew Automatically toggle. The *Start Renewing field is displayed. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the renewal process should start. Valid range for number of days: 1 to 120 Note: The auto renew settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was renewed manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
*Regenerate Automatically	To automatically regenerate this certificate: Turn on the Regenerate Automatically toggle. The *Start Regenerating field is displayed. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the regeneration process should start. Valid range for number of days: 1 to 120 Note: This value can exceed the certificate's validity in case of short-lived certificates. Note: This feature can be enabled only for valid certificates (not for revoked/suspended and expired certificates). The auto regenerate settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was regenerated manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
*Re-enroll Automatically	To automatically regenerate this certificate: Turn on the Re-enroll Automatically toggle. The *Start Re-enrollng field is displayed. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the regeneration process should start. Valid range for number of days: 1 to 120 Note: This value can exceed the certificate's validity in case of short-lived certificates. Note: User overrides are allowed unless Group Override is active, in which case the group's configuration takes precendence.
*CA Account	From the dropdown list, select the CA account to which the certificate enrollment request will be submitted.
Certificate Type	From the dropdown list, select the required certificate type.
*Division	Note: This field is applicable only for Digicert CA. From the dropdown list, select the division with which the certificate will be enrolled.
Certificate Profile	Note: This field is displayed for only selected CAs. For the IDnomic CA, this field is displayed when only-CA setting is selected from the CA Account dropdown list. From the dropdown list, select the certificate profile with which the certificate must enroll.
*RA Workflow	Note: This field is displayed when Certificate Authority = IDnomic and a RA setting is selected from the CA Accounts dropdown list. From the dropdown list, select the RA workflow that will be used for certificate enrollment. For the details of a workflow, you can check them on your CA portal on IDnomic.
*Issuer Location	Note: This field is applicable only for Google CA. From the dropdown list, select the issuer location associated with the CA account.
*Issuer Name	Note: This field is applicable only for Google CA and AppViewX PKIaaS Native. From the dropdown list, select the issuer name for issuing the certificate.
Template Name	Note: This field will be displayed only when Certificate Authority = AppViewX Native CA. Select a template name from the dropdown list. Template Name is editable. The selected template will be displayed in the Template/Profile column of the Server Certificate Inventory irrespective of the Managed/Monitor status. You can also search and filter certificates based on the template name within the CERT+ Inventory.
*Issuance Policy	Note: This field is applicable only for Futurex. From the dropdown list, select the issuing policy for this certificate. An issuance policy defines the rules Futurex must follow to process the certificate enrollment request. The selected issuance policy will determine the approval requirements for the certificate, the cryptographic settings, notification triggeres and other configuration parameters.
*Root CA	Note: This field is applicable only for Futurex. From the dropdown list, select the root CA for the certificate being enrolled. This is the trusted root certificate authority that anchors the certificate chain. All issued certificates will ultimately chain up to this root.
*Signing CA	Note: This field is applicable only for Futurex. From the dropdown list, select the Certificate Authority that will sign the requested certificate.
*Extension Profiles	Note: This field is applicable only for Futurex. Extension profiles enable you to further modify your certificates with additional field, attributes, and requirements. From the dropdown list, select the extension profile that will be used for the certificate being enrolled. To read more on and for instructions to create extension profiles, refer the Futurex documentation. For links, see the References section.
*Approval Group Name	Note: This field is applicable only for Futurex. An approval group is a predefined set of users or roles authorized to approve the certificate enrollment request. From the dropdown list, select the approval group to authorize this enrollment request. To read more on and for instructions to create and manage approval groups, refer the Futurex documentation. For links, see the References section.
*Connector Name	Enter a friendly name for the CA connector. On saving this form, the name entered here will be displayed in the holistic view.
Description	Note: Character limit: 2000 characters Enter the description in this field.
*CSR Generation	Note: This field is applicable for all CAs except Amazon. From the following options, select the required method for generating the CSR: AppViewX: Private key and CSR will be created in AppViewX based on CSR parameters given. Note: If auto regeneration has been enabled for this cerificate, AppViewX can be enforced as the default CSR generation source (irrespective of any selections made here) every time the certificate is regenerated. To do this, execute the following db script: `db.cert_metadata.insertOne({"_id":"CERT_AUTO_REGENERATE_DEFAULT_APPVIEWX_CSR", "flag":true})` Upload CSR: You can upload a file that contains the CSR details. This source file will be used to populate the CSR parameters, which will then be submitted to the CA. Under CSR Generation, select Upload CSR. The Please paste your CSR field is displayed. From the Please paste your CSR field, select Browse. Navigate to the location of your CSR file, and click Open. Click Upload. On successful upload of this file, the CSR fields are populated with the corresponding details. HSM: Note: This option is disabled/not displayed when Certificate Authority = Google, CSC Global, and DigiCert One. To generate the private key and the CSR, based on the CSR parameters given in an HSM device: Under CSR Generation, select HSM. To enter the configuration details for CSR generation, refer the field descriptions given here. End Point: Note: This option is disabled when Certificate Authority = Google and CSC Global. To generate the private key and the CSR, based on the CSR parameters given in an endpoint device: Under CSR Generation, select End Point. To enter the configuration details for CSR generation, refer the field descriptions given here.
*: Mandatory fields

Table 11. Field descriptions for using HSM as the CSR generation source
Field	Description
*Device Type	From the dropdown list, from the following options, select the type of device on which the private key and the CSR will be generated: HSM Devices (AppViewX will directly communicate with the HSM device for the CSR generation.) ADC Devices (The selected ADC device will interact with the HSM to generate the CSR and subsequently transmit the relevant details to AppViewX.)
*Vendors	This field is displayed only when Device Type = ADC Devices. From the dropdown list, select the required ADC device vendor.
Module Number	This field is displayed when Device Type = ADC Devices and Vendors = Thales. In the event that multiple HSMs are configured on a system, module number is a unique identifier assigned to each HSM. In this field, enter the module number assigned to the selected Thales device.
*Devices	From the dropdown list, select the required HSM/ADC device. This field is populated based on the Device Type and Vendors selected. For Device Type = HSM Devices The dropdown list is populated with HSM devices that were enabled for CSR generation at the time of onboarding and have been successfully onboarded. To read more on onboarding HSM devices in AppViewX, click here. For Device Type = ADC Devices The dropdown list is populated with F5 devices that are in the Managed state. Currently, AppViewX enables HSM key generation only through F5 devices for the following HSM vendors and their respective supported versions: Fortanix (v14 and onwards) Thales (v12 and onwards) Safenet (v12 and onwards)
*Key Handler Name	This field is displayed when Device Type = HSM Devices. Key handler name refers to an identifier used to reference a cryptographic key managed by an HSM device. Enter the desired handler name in the field.
*Key Reference Name	This field is displayed when Device Type = ADC Devices. Key reference name refers to an identifier used to reference a private key that is stored locally on an ADC device or is securely accessible to the device via an external HSM. In this field, enter the reference name assigned to the private key stored in/accessible to the selected ADC device.

Table 12. Field descriptions for using an endpoint device as the CSR generation source
Field	Description
Category	From the following options, select the ADC device category: ADC Cloud Server WAF Firewall Note: Run the following script to enable endpoint CSR generation support for GlobalSignAtlas: `db.getCollection('cert_metadata').insertOne({ "_id": "CSR_GENERATION_ENDPOINT_SUPPORTED_VENDOR_GLOBALSIGNATLAS", "objectMap": { "Server": [ "ABAP", "Web Dispatcher" ] } });` On selecting GlobalSignAtlas CA, Category is automatically populated as Server.
Vendor	The dropdown list for this field is populated based on the Category selected. From the dropdown list, select the vendor for the end point device. Note: On selecting GlobalSignAtlas CA, Vendor is populated with ABAP and Web Dispatcher.
*Devices	This field lists the end point devices present in your environment that belong to the above selected Category and Vendor. From the dropdown list, select the end point device on which you want to generate the private key and the CSR. Note: On selecting Vendor = Fortinet, both Fortigate and FortiManager devices are populated. Auto-regeneration of certificates with FortiManager as endpoint is not supported.
*Profile	This field is applicable only when Category = Server/WAF. Select a profile from the dropdown list. Note: On selection of Vendor = Imperva, CSR generation at the endpoint is supported only for SaaS platforms. Profiles will not be displayed for AWS/on-prem deployments.
*Tenant	This field is applicable only when Category = AD. Enter the tenant ID.
*Service name	From the dropdown list, select the cloud service running on the selected cloud Devices.
CSR Location	This field is applicable only when Category = Server.
*Template Name	This field is applicable only when Category = Firewall. Select the required template from the dropdown list. Note: This field will be enabled when the Platform = Panorama while onboading PaloAlto device at Menu > CERT+ > Device Management > Inventory> Firewall > Add. Templates and partitions are used to enroll certificates at the template level. To enroll a certificate at the Panorama level, set the template to None.
Partition	This field is applicable only when Category = Firewall.
*CSR File Name	Enter the name of the file that contains the CSR parameters. Note: As the extension is already included in the field, ensure that you enter the file name without the file extension. Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as CSR File Location.
*Key File Name	Enter the name of the file that contains the private key details. Note: As the extension is already included in the field, ensure that you enter the file name without the file extension. Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as Key File Location.
*Certificate File Name	This field is displayed only when Category = Cloud. Enter the certificate file name.
*Key vault	This field is displayed only when Category = Cloud, Vendor = Azure, and Service name = Key Vault (Azure).
*Service	Note: This field is displayed when Category = Server and Vendor = Microsoft Server. This dropdown list is populated based on the Device selected. From the options in the dropdown list, select the service.
*Exchange Server	Note: This field is displayed when Category = Server and Vendor = Microsoft Server. From the dropdown list, select the name of the MS Exchange server for which the certificate is being enrolled.

For the EJBCA certificate authority, enter the vendor details.

Table 13. Field descriptions for the **EJBCA** Vendor Specific Details section
Field	Description
* End Entity Profile Name	From the dropdown list, select the end entity profile name.
End entity user name	Enter the name of the end user entity.
* Issuer Common Name	From the dropdown list, select the issuer common name.
*Certificate Profile Name	From the dropdown list, select the certificate profile name.
*: Mandatory fields

Note: When generating a new private key on an endpoint, existing keys (including .txt encrypted key files) are not overwritten immediately.

For non–password-protected certificate types (PEM-.crt, PEM-.cer, PEM-.pem, DER-.der, DER-.cer, PKCS7-.p7b, PKCS7-.p7c), the .txt file is decrypted into the original key filename (keyfile.key) during the push. If a key with the same name already exists, it will be replaced.
For password-protected certificate types (Default JKS-.jks, JKS-.keystore, PKCS12-.p12, PKCS12-.pfx):
- During the push , the encrypted .txt file is decrypted into a temporary, timestamped key file (keyfile_.key).
- This decrypted key is then combined with the certificate to create the final bundled output (e.g., .pfx, .jks).
- After bundling, the temporary timestamped key file is deleted; Because the decrypted key file is temporary and timestamped, no key replacement occurs, and no existing key files are overwritten.

This is currently applicable for:

Linux vendors - Generic Linux, Apache Linux, Tomcat Linux, and Nginx Linux.
Windows vendors - Windows Apache, Windows Tomcat, and Microsoft SQL.

For the certificate being enrolled, enter the CSR Parameters.

Note: For DigiCert One, all CSR parameters that are assigned static values in the certificate profile will be auto-populated and disabled for editing.

Table 14. Field descriptions for the CSR Parameters
Field	Description
Replace PSE File	The Replace PSE File checkbox enables users to generate the CSR or private key in the Server. This checkbox is displayed only in the case described below: Select the CSR Generation radio button as Endpoint. Select Category as Server, Vendor as ABAP or Web Dispatcher The Profiles dropdown is the only other field displayed below it and is populated with a list of .pse file names. Select the required Profile from the dropdown. Based on the values selected, the fields in the CSR Parameters section are auto-populated. The Replace PSE File checkbox is disabled by default and the SAN details fields in CSR Parameters section are also disabled. Selecting the checkbox will make the SAN details enabled and allow for values to be updated.
*Common Name	Enter the certificate's common name. The common name is one of the key values of Certificate Signing Request (CSR) to be present in the certificate. For example, <appviewx>. Note: Constraints: Character limit: 64 characters No special characters allowed except en dash (_) and hyphen (-). For VMware vCenter, enter the device's FQDN to avoid certificates being rejected. If left blank, the FQDN will be auto-detected and populated.
Subject Alternative Name	From the dropdown list, select the Subject Alternative Name category for the certificate being enrolled. In the corresponding field(s) displayed for the selection made, enter the required values. Note: Multiple values must be separated by a comma. After enrollment, the cumulative count of SANs is displayed in the certificate property pop-up window from the holistic view. For VMWare vCenter, enter the device's FQDN to avoid certificates being rejected. If left blank, the FQDN will be auto-detected and populated.
DNS	Mutiple SAN values must be separated by a comma (,).
Organization	The organization name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy. Note: For VMWare vCenter, this is a mandatory field.
Organization Unit	Organization Unit name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy. Note: For VMWare vCenter, this is a mandatory field.
Locality	The locality name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy. Note: For VMWare vCenter, this is a mandatory field.
State	The state name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy. Note: For VMWare vCenter, this is a mandatory field.
Country	Country name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on configuration. It must be a 2-letter country code (for example, US, and so on). Note: For renewal of the certificate being enrolled, country name is required. For VMWare vCenter, this is a mandatory field.
Email Address	Enter a valid email address of the person responsible for maintaining the certificate. Note: For VMWare vCenter, this is a mandatory field.
*Validity	To specify the validity of the certificate being enrolled: From the first dropdown list, select the number of days/months/years. From the second dropdown list, select the unit of the duration from the following values: Days/Months/Year. For example, if the validity of the certificate is 2 months: From the first dropdown list, select 2. From the second dropdown list, select Months. Note: The uploaded certificate validity for Globalsign MSSL is set to 365 days.
Challenge Password	Challenge password is one of the CSR parameters to be present in the certificate. Password must contain at least one alphabet (uppercase and lowercase), one number, and one special character.
Confirm Password	Re-enter the password entered in the Challenge Password field.
*Hash Function	The Hash function with which the CSR has to be signed. Any information specific to any CA or vendor has to be covered in the Note section. This field will be auto-filled and editable based on the configuration in the selected group’s policy. Note: For Certificate Authority = HydrantID, irrespective of the hash function selected, by default, the CA returns a certificate with SHA256. Therefore, admins must restrict users from creating a certificate with a hash function other than SHA256. To accomplish this, create policy with a single hash value (SHA256).
*Key Type	The key type is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy. Note: FortiManager supports only RSA key type of 512, 1024, 1536, 2048, 3072, 4096 bits. VMWare supports only RSA of 2048, 3072, 4096, 7680, 8192 bits and EC key type.
*Bit Length	The bit length is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
*: Mandatory fields

In the Attachments section, upload any additional documents that are relevant to the enrollment of the certificate (for example, approval emails).

Table 15. Field descriptions for the Attachments section
Field	Description
Name	Enter a name for the document. This need not be the actual name of the document; it can be an alternate name that will be used for reference only.
Comments	Enter any details relevant to the document being attached. Note: Character limit: 2000 characters
Upload File	To upload an attachment: Click Upload. Navigate to the location of the document to be uploaded. Select the document to be document and click Open. The selected document is uploaded and listed in the table displayed below these fields in the Attachments section. Tip: If you have uploaded multiple attachments, use the Search field to find the required one.
*: Mandatory fields

In the Certificate Attributes section, enter organization-specific values, for the certificate attributes and custom attributes for the issuing CA, that need to be mentioned along with the CSR.
These values will not be a part of the certificate but will be available in the AppViewX inventory. For example, cost center.
Note: This additional information can be used to filter certificate details in the inventory.

Enter the relevant details in the Generic Fields. These are default fields for maintaining the IP address and device information, if required.

Table 16. Field descriptions for the Generic Fields
Field	Description
Device Name	Enter the name of the device.
Application IP Address	Enter the IP address of the application.
Tracking ID	A free-form business alpha-numerical identifier, included in the audit logs, that may be used to correlate audit log entries (typically enrollment and revocation events)
Certificate holder Email	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). An email address that may be used to send notifications to certificate holder depending on the notification policies configured for the requested workflow
First name	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). First name (as a metadata) associated with the certificate to be enrolled
Last name	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Last name (as a metadata) associated with the certificate to be enrolled
Organization	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Organization name (as a metadata) associated with the certificate to be enrolled
Comment	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Additional information (as a metadata) associated with the certificate to be enrolled
UUID	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Universal Unique Identifier, or UUID, (as a metadata) associated with the certificate to be enrolled

In the Vendor-Specific Details section, enter the CA-specific details. Some of the CAs will expect additional details other than CSR parameters as meta data for their operational purposes. Details common to all CAs will be taken from the AppViewX user information of the logged in user.

Table 17. Field descriptions for the **common** vendor specific details
Field	Description
Certificate ID	The Certificate ID is auto-populated based on the value entered in the Common Name field (in the CSR Parameters section). The Certificate ID can be modified by the user. If the user edits the Certificate ID, any change to the Common Name will not reflect in the Certificate ID. If the user deletes the Certificate ID, the value of the Certificate ID field is set to the Common Name suffixed with the timestamp.

Table 18. Field descriptions for the **CSC Global CA** vendor specific details
Field	Description
*Server Type	From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
*Business Unit	Enter the name of the business unit that is requesting the certificate.
*Organization Contact	Enter the email address of the contact in the organization requesting the certificate.
*Phone Number	Enter the phone number of the Organization Contact in the followung format: +<country code>-<phone number>. Note: For CSC Global, the phone number is not fetched from the AppViewX user information because of the difference in format.
*Domain Control Validation Type	From the following options in the dropdown list, select the method CSC Global will use for authentication before issuing a certificate: EMAIL: CSC Global will send an approval/confirmation request to the registered email ID. Certificate issuance happens only after approval is received. CNAME: On requesting certificate issuance, CSC Global will provide you with a dynamic string. Add a CNAME record with this string to your DNS settings. CSC will issue the certificate requested only after validating this CNAME record. Note: CSC Global will perform domain validation for all CLM actions.
*: Mandatory fields

Table 19. Field descriptions for the **Custom CA** vendor specific details
Field	Description
*CRL and OCSP required	To control the inclusion of CRL and OCSP settings, turn this toggle button on/off as required.
*: Mandatory fields

Table 20. Field descriptions for the **DigiCert CA** vendor specific details
Field	Description
*Server Type	From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
*Payment Method	From the dropdown list, select one from the following payment methods: Bill To Account Balance: This option allows you to pay for the DigiCert certificate using the available balance in your DigiCert account. Note: Ensure that the option to bill to account balance is enabled for the account and the account has sufficient balance. Bill To Default Credit Card: This option will charge the cost of the DigiCert certificate to the credit card set as the default payment method in your DigiCert account. Note: Ensure that a credit card is configured as the default payment method for your account.
Additional Email	Enter email addresses that will receive notifications for renewals, reissues, and duplicates for the specified order.
Renewal Message	Enter a custom message that will be sent with the renewal notifications.
Notes	Enter a custom note that will be sent with the order.
*: Mandatory fields

Table 21. Field descriptions for the **DigiCert One CA** vendor specific details
Field	Description
Seat ID	Enter the seat ID that will be assigned to the certificate being enrolled. Seat ID is a unique user-defined value assigned to identify an entity in the DigiCert One account. The seat ID for a certificate is used for certificate enrollment, renewal, and regeneration. Note: The Seat ID field is displayed only if the Allow Seat ID during enrollment option is selected for the CA account. In this case, the value entered in the Seat ID field is now a unique identifier for the certificate being enrolled. Otherwise, a common seat ID is assigned to all certificates enrolled for the selected CA account

Table 22. Field descriptions for the **GlobalSign MSSL CA** vendor specific details
Field	Description
*Profile name	A profile name is defined at the time of creating an account on the GlobalSign MSSL portal. AppViewX retrieves all your profile names from the GlobalSign MSSL portal and populates them in this dropdown list. From the dropdown list, select the profile name the enrolled certificate should be mapped to.
*: Mandatory fields

Table 23. Field descriptions for the **Hydrant ID CA** vendor specific details
Field	Description
Expiry Emails	Enter a comma-separated list of email addresses that will receive the certificate expiry notification from HydrantID. Note: HydrantID CA does not accept updates to these email addresses during the renewal process.

Table 24. Field descriptions for the **Nexus CA** vendor specific details
Field	Description
Procedures	The Procedures dropdown list will display only the procedures mapped to the server and the default procedure. From the dropdown list, select the required procedure.

Table 25. Field descriptions for the **LetsEncrypt CA** vendor specific details
Field	Description
*Challenge Type	Specifies the method for verifying domain ownership. Select the required domain for the validation. The available challenge types are: HTTP DNS.
Challenge Verify	Determines how the DNS challenge will be verified. Select the required verification process. The available challenge verifies are: Manual Automatic. The value Automatic suggests that the system will automatically handle the verification process without manual intervention. Note: This field appears when the challenge type is selected as DNS.
Vendor	Indicates the DNS provider responsible for managing DNS records. The available DNS service providers are: Cloudflare Azure. Note: This field appears when the challenge verify is selected as Automatic.
*Settings	Allows for additional configuration settings related to the DNS challenge. The selected value None implies that no extra settings are applied. Note: This field appears when the challenge verify is selected as Automatic. Note: Make sure that you have enabled LetsEncrypt DNS Automation from the workflow. To add new vendors for the integration and configuration, refer to Integration topic in the Automation Guide.
*: Mandatory fields

Click Add.
Once the details are added, you will be redirected to a page where the CSR and CA details are added as a connector. This page is called the holistic view and from here, any action on the certificate can be performed including provisioning the certificate to a server.
On the holistic view, click the Submit button to trigger the request.
The submit action is triggered and the Submit dialog box is displayed.
Enter your comments in the text field and click Yes.
If the approval required option is enabled in the CA policy, the request is moved to the Approve and Implementation stages.
Click Approve to proceed.
The Approve dialog box is displayed.
Enter your comments in the text field.

Note: If the workflow request has to be approved automatically in the future, click the Schedule later button .
Click Yes.
Once the approval process is complete, the Implement option is displayed in the holistic view.
Click Implement.
The Implement dialog box is displayed.
Enter your comments in the text field.
If the workflow request has to be implemented automatically in the future, click Schedule later .
Click Yes.
CSR Submission to CA is in progress.Once the CSR submission is successful, the request state will be changed to Submit certificate - retrieval in progress state.
If the enrollment request is compliant with conditions defined and auto-approval enabled in the targeted CA, the certificate will be fetched in a few seconds.
If auto-approval disabled in the targeted CA, you will have to be logged into the CA and approve the request.
Once the certificate is issued successfully, the certificate will be retrieved into AppViewX. You can now push the enrolled certificate(s) to the required endpoint.

Enrolling Client Certificates

Go to (Menu) > CERT+ > CERTIFICATE ACTION > Enroll Certificate > Client
The Enroll Client Certificate page is displayed.
In the General Information section, from the dropdown list, select the required Assign Group.

Enter/Select the CA Details.

Table 26. Field descriptions for the CA Details section
Field	Description
*Certificate Authority	Note: Depending on the CA selected, the rest of the fields will be displayed. From the dropdown list, select the required certificate authority (CA). Note: For enrolling certificates with policies using Google CA, consider the following points: Certificate Enrollment - Strict Policy The Common Name will not be pre-filled from the policy. The following validation will be seen based on strict policy guidelines. If the Common Name’s domain name is not present in the Allowed Domain Name list, an error validation will be shown upon saving the policy details. Certificate Enrollment - Suggestive Policy The Common Name will not be pre-filled from the policy The following validation will be seen based on strict policy guidelines. If the Common Name’s domain name is not present in the Allowed Domain Name list, the non-compliant policy will be created. If the Common Name’s domain name is present in the Blocked Domain Name list, an error validation will be shown upon saving the policy details. Note: For Certificate Authority = EJBCA, an additional set of fields, Vendor specific details is displayed after the CA Details section. Instructions on specifying the vendor specific details are covered in step 4.
*Renew Automatically	Note: If the Override feature is enabled for the certificate group selected from the Assign Group dropdown list, auto renew settings done in the enrollment page will be overwritten by the group level settings. If Regenerate Automatically has been enabled for the selected certificate group, the Renew Automatically field is not displayed here. To automatically renew this certificate: Turn on the Renew Automatically toggle. The *Start Renewing field is displayed. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the renewal process should start. Valid range for number of days: 1 to 120 Note: The auto renew settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was renewed manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed. Note: The IDnomic CA can be used for issuing certificates only in an on-prem deployment. Certificates issued through IDnomic CA can be renewed only if they are enrolled using a Registration Authority workflow.
Subscribe Email Alerts for Auto-Renewal	This field is displayed when Renew Automatically is enabled. To receive email notifications every time this certificate is auto-renewed, select this checkbox. The email notification includes certificate details, the type of auto action (renewal, in this case), and the outcome (success/failure). These notifications help administrators stay informed of automated lifecycle actions, reducing the overhead to manually track them. If enabled here, this setting overrides the group setting for email alerts subscription, unless group-level overrides have been enforced.
*Regenerate Automatically	To automatically regenerate this certificate: Turn on the Regenerate Automatically toggle. The *Start Regenerating field is displayed. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the regeneration process should start. Valid range for number of days: 1 to 120 Note: This value can exceed the certificate's validity in case of short-lived certificates. Note: This feature can be enabled only for valid certificates (not for revoked/suspended and expired certificates). The auto regenerate settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was regenerated manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
Subscribe Email Alerts for Auto-Regenerate	This field is displayed when Regenerate Automatically is enabled. To receive email notifications every time this certificate is auto-regenerated, select this checkbox. The email notification includes certificate details, the type of auto action (regeneration, in this case), and the outcome (success/failure). These notifications help administrators stay informed of automated lifecycle actions, reducing the overhead to manually track them. If enabled here, this setting overrides the group setting for email alerts subscription, unless group-level overrides have been enforced.
*Re-enroll Automatically	To automatically regenerate this certificate: Turn on the Re-enroll Automatically toggle. The *Start Re-enrollng field is displayed. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the regeneration process should start. Valid range for number of days: 1 to 120 Note: This value can exceed the certificate's validity in case of short-lived certificates. Note: User overrides are allowed unless Group Override is active, in which case the group's configuration takes precendence.
*CA Account	To which account the enrollment request to be submitted.
Certificate Type	Select the desired certificate type from the dropdown list.
*Division	Select the division to which the certificate must be enrolled. Note: This field will be shown only for Digicert CA.
Certificate Profile	Note: This field is applicable only for AppViewX CA and Google CA. For the IDnomic CA, this field is displayed when only-CA setting is selected from the CA Account dropdown list. From the dropdown list, select the profile with which the certificate must enroll.
*RA Workflow	Note: This field is displayed when Certificate Authority = IDnomic and a RA setting is selected from the CA Accounts dropdown list. From the dropdown list, select the RA workflow that will be used for certificate enrollment. For the details of a workflow, you can check them on your CA portal on IDnomic.
*Issuer Location	Select the location of the issuer CA from the dropdown. Note: This is applicable only for Google CA.
*Issuer Name	Select the name of the issuer CA from the dropdown. Note: This is applicable only for Google CA.
*Issuance Policy	Note: This field is applicable only for Futurex. From the dropdown list, select the issuing policy for this certificate. An issuance policy defines the rules Futurex must follow to process the certificate enrollment request. The selected issuance policy will determine the approval requirements for the certificate, the cryptographic settings, notification triggeres and other configuration parameters.
*Root CA	Note: This field is applicable only for Futurex. From the dropdown list, select the root CA for the certificate being enrolled. This is the trusted root certificate authority that anchors the certificate chain. All issued certificates will ultimately chain up to this root.
*Signing CA	Note: This field is applicable only for Futurex. From the dropdown list, select the Certificate Authority that will sign the requested certificate.
*Extension Profiles	Note: This field is applicable only for Futurex. Extension profiles enable you to further modify your certificates with additional field, attributes, and requirements. From the dropdown list, select the extension profile that will be used for the certificate being enrolled. To read more on and for instructions to create extension profiles, refer the Futurex documentation. For links, see the References section.
*Approval Group Name	Note: This field is applicable only for Futurex. An approval group is a predefined set of users or roles authorized to approve the certificate enrollment request. From the dropdown list, select the approval group to authorize this enrollment request. To read more on and for instructions to create and manage approval groups, refer the Futurex documentation. For links, see the References section.
*Connector Name	Enter the friendly name for Certificate Authority connector in this field which will be displayed in the holistic view on saving this form.
Description	Enter the description in this field. Note: Character limit: 2000 characters
*CSR Generation	Select the CSR generation option as required. Options are: Upload CSR: Uploaded CSR will be used as the source to populate CSR parameters and submit to CA. To upload a CSR: Under CSR Generation, select Upload CSR. The Please paste your CSR field is displayed. From the Please paste your CSR field, select Browse. Navigate to the location of your CSR file, and click Open. Click Upload. On successful upload of this file, the CSR fields are populated with the corresponding details. HSM: The private key and CSR will be created in the selected HSM device based on CSR parameters given. To generate the private key and the CSR, based on the CSR parameters given in an HSM device: Under CSR Generation, select HSM. To enter/select the configuration details for CSR generation, refer the field descriptions given here. End Point: The private key and CSR will be created in the selected end point device based on the CSR parameters given. To generate the private and the CSR, based on the CSR parameters given in an endpoint device: Under CSR Generation, select End Point. To enter/select the configuration details for CSR generation, refer the field descriptions given here. AppViewX - Private key and CSR will be created in AppViewX based on CSR parameters given. Note: If auto regeneration has been enabled for this cerificate, AppViewX can be enforced as the default CSR generation source (irrespective of any selections made here) every time the certificate is regenerated. To do this, execute the following db script: `db.cert_metadata.insertOne({"_id":"CERT_AUTO_REGENERATE_DEFAULT_APPVIEWX_CSR", "flag":true})` Note: For all CA types except Amazon, you have the option to generate the CSR.
*: Mandatory fields

Table 27. Field descriptions for using HSM as the CSR generation source
Field	Description
*Device Type	From the dropdown list, from the following options, select the type of device on which the private key and the CSR will be generated: HSM Devices (AppViewX will directly communicate with the HSM device for the CSR generation.) ADC Devices (The selected ADC device will interact with the HSM to generate the CSR and subsequently transmit the relevant details to AppViewX.)
*Vendors	This field is displayed only when Device Type = ADC Devices. From the dropdown list, select the required ADC device vendor.
Module Number	This field is displayed when Device Type = ADC Devices and Vendors = Thales. In the event that multiple HSMs are configured on a system, module number is a unique identifier assigned to each HSM. In this field, enter the module number assigned to the selected Thales device.
*Devices	From the dropdown list, select the required HSM/ADC device. This field is populated based on the Device Type and Vendors selected. For Device Type = HSM Devices The dropdown list is populated with HSM devices that were enabled for CSR generation at the time of onboarding and have been successfully onboarded. To read more on onboarding HSM devices in AppViewX, click here. For Device Type = ADC Devices The dropdown list is populated with F5 devices that are in the Managed state. Currently, AppViewX enables HSM key generation only through F5 devices for the following HSM vendors and their respective supported versions: Fortanix (v14 and onwards) Thales (v12 and onwards) Safenet (v12 and onwards)
*Key Handler Name	This field is displayed when Device Type = HSM Devices. Key handler name refers to an identifier used to reference a cryptographic key managed by an HSM device. In this field, enter the reference name assigned to the Master Encryption Key stored in the selected HSM device.
*Key Reference Name	This field is displayed when Device Type = ADC Devices. Key reference name refers to an identifier used to reference a private key that is stored locally on an ADC device or is securely accessible to the device via an external HSM. Enter the desired handler name in the field.

Table 28. Field descriptions for using an endpoint device as the CSR generation source
Field	Description
Category	From the following options, select the ADC device category: ADC Cloud Server Firewall.
Vendor	From the dropdown list, select the vendor for the end point device. Note: The dropdown list for this field is populated based on the Category selected.
*Devices	This field lists the end point devices present in your environment that belong to the above selected Category and Vendor. From the dropdown list, select the end point device on which you want to generate the private key and the CSR.
Tenant	Note: This field is applicable only when Category = ADC. Enter the tenant ID.
*Service name	From the dropdown list, select the cloud service running on the selected cloud Devices.
CSR Location	Note: This field is applicable only when Category = Server.
*Template Name	Note: This field is applicable only when Category = Firewall. Select the required template from the dropdown list. Note: This field will be enabled when the Platform = Panorama while onboading PaloAlto device at Menu > CERT+ > Device Management > Inventory> Firewall > Add. Templates and partitions are used to enroll certificates at the template level. To enroll a certificate at the Panorama level, set the template to None.
Partition	Note: This field is applicable only when Category = Firewall.
*CSR File Name	Enter the name of the file that contains the CSR parameters. Note: Since the extension is already included in the field, ensure that you enter the file name without the file extension. Note: Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as CSR File Location.
*Key File Name	Enter the name of the file that contains the private key details. Note: Since the extension is already included in the field, ensure that you enter the file name without the file extension. Note: Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as Key File Location.
*Certificate File Name	Note: This field is displayed only when Category = Cloud. Enter the certificate file name.
*Key vault	Note: This field is displayed only when Category = Cloud, Vendor = Azure, and Service name = Key Vault (Azure).
*Service	Note: This field is displayed when Category = Server and Vendor = Microsoft Server. This dropdown list is populated based on the Device selected. From the options in the dropdown list, select the service.
*Exchange Server	Note: This field is displayed when Category = Server and Vendor = Microsoft Server. From the dropdown list, select the name of the MS Exchange server for which the certificate is being enrolled.

For the EJBCA certificate authority, enter/select the vendor details.

Table 29. Field descriptions for the **EJBCA** Vendor Specific Details section
Field	Description
* End Entity Profile Name	From the dropdown list, select the end entity profile name.
End entity user name	Enter the name of the end user entity.
* Issuer Common Name	From the dropdown list, select the issuer common name.
*Certificate Profile Name	From the dropdown list, select the certificate profile name.
*: Mandatory fields

Enter/Select the CSR Parameters.

Table 30. Field descriptions for the CSR Parameters section
Field	Description
*Common Name	The common name is one of the key values of Certificate Signing Request (CSR) to be present in the certificate. For example, <appviewx>. No special characters allowed except en dash (_) and hyphen (-).
*Common Name Indicator	Important: See note. This field is displayed when the selected CA Account is DigiCert and Certificate Type is one of the following: Secure Email for Business Digital Signature Premium As part of DigiCert's revised security regulations, the common name for the above listed DigiCert certificate types is derived from the one of the input attributes, as selected from the dropdown list. For the common name indicator, from the dropdown list, select one of the following: First Name and Last Name Pseudonym Email (applicable only for the Secure Email for Business certificate type)
*First Name	This field is displayed when: Common Name Indicator = First Name and Last Name Common Name Indicator = Email and Indicator Type = First Name and Last Name Enter the verified first name of the individual subject. For Common Name Indicator = First Name and Last Name A combination of the first name and last name will be used to derive the certificate's common name, which will be displayed in the certificate's Common Name field or the Subject DN (in the certificate details that can be accessed from the holistic view). For Common Name Indicator = Email and Indicator Type = First Name and Last Name The first and last name will be appended as mandatory additional information to the Subject Alternative Name.
*Last Name	This field is displayed when: Common Name Indicator = First Name and Last Name Common Name Indicator = Email and Indicator Type = First Name and Last Name Enter the verified last name of the individual subject. For Common Name Indicator = First Name and Last Name A combination of the first name and last name will be used to derive the certificate's common name, which will be displayed in the certificate's Common Name field or the Subject DN (in the certificate details that can be accessed from the holistic view). For Common Name Indicator = Email and Indicator Type = First Name and Last Name The first and last name will be appended as mandatory additional information to the Subject Alternative Name.
*Pseudonym	This field is displayed when: Common Name Indicator = Pseudonym Common Name Indicator = Email and Indicator Type = Pseudonym Enter the pseudonym of the individual subject. A pseudonym is a fictitious name assumed for a particular person. For Common Name Indicator = Pseudonym The entered pseudonym will be displayed in the certificate's Common Name field or the Subject DN (in the certificate details that can be accessed from trhe holistic view). For Common Name Indicator = Email and Indicator Type = Pseudonym The pseudonym will be appended as mandatory additional information to the Subject Alternative Name.
*Indicator Type	This field is displayed when Certificate Type = Secure Email for Business and Common Name Indicator = Email. In this case, the issuer's email address, as specified in the CSR parameters, is used to derive the common name. For Common Name Indicator = Email, it is mandatory to include additional information in the form of the first name and last name or the pseudonym, which will be appended to the Subject Alternative Name. From the following options, select the required indicator type to be used as mandatory information along with the email: First Name and Last Name The First Name and Last Name fields are displayed. Pseudonym The Pseudonym field is displayed.
Subject Alternative Name	You can see the count of subject alternative names (SAN) available for a certificate in the CSR parameter section, inventory grid, and CA connector page. Select the subject alternative subject name from the dropdown list. The possible options are, Select all DNS IP Address. Note: Multiple values must be separated by a comma. The cumulative count SANs appears in the certificate property pop-up window from the holistic view.
*Organization	The organization name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
Organization Unit	Organization Unit name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
Locality	The locality name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
State	The state name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
*Country	Country name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on configuration. It must be a 2-letter country code (for example, US, and so on).
Email Address	The email contact details of the person responsible for maintaining the certificate. Enter the valid e-mail address. Except for SwissSign, this field is mandatory or optional based on the value selected for the Email Address mandatory for Client Certificate field in the corresponding CA policy.
*Order Validity	Enter the number in this field and select the entered validity list to be in Days, Months, and Years from the dropdown list. The Order Validity for the following DigiCert S/MIME certificate types cannot exceed 2 years: Secure Email for Business Digital Signature Premium Note: As per revised security regulations for DigiCert S/MIME certificates, the maximum lifespan of the the above listed certificate types is two years.
Challenge Password	Challenge password is one of the CSR parameters to be present in the certificate. Password must contain at least one alphabet (uppercase and lowercase), one number, and one special character.
Confirm Password	Reenter the same password to confirm that is entered in the Challenge Password field.
*Hash Function	The Hash function with which the CSR has to be signed. Any information specific to any CA or vendor has to be covered in the Note section. This field will be auto-filled and editable based on the configuration in the selected group’s policy. Note: For Certificate Authority = HydrantID, irrespective of the hash function selected, by default, the CA returns a certificate with SHA256. Therefore, admins must restrict users from creating a certificate with a hash function other than SHA256. To accomplish this, create policy with a single hash value (SHA256).
*Key Type	From the dropdown list, select the cryptogrpahic algorithm that will be used for generating the certificate's key pair. The dropdown list is populated based on the CA policy configured for the selected CA.
*Bit Length	From the dropdown list, select the required key size (in bits). The dropdown list is populated based on the CA policy configured for the selected CA.
*ECDSA curve	For Key Type = EC, from the dropdown list, select the elliptic curve that will be used to create the public and private key pairs.
*: Mandatory fields

In the Attachments section, upload any additional documents that are relevant to the enrollment of the certificate (for example, approval emails).

Table 31. Field descriptions for the Attachments section
Field	Description
Name	Enter the alternate name for the document to be uploaded.
Comments	Enter the comments in this field. Note: Character limit: 2000 characters
Upload File	Click the Upload button to select the file.

Other than the CSR fields, you can add organization-specific values along with CSR. These values will not be part of the certificate but will be available in the AppViewX inventory. For example, cost center. Inventory can be filtered based on these attributes as well. In the Certificate Attributes can be added under Administration > certificate attributes, it will be reflected on the enrollment page:

Enter the relevant details in the Generic Fields. These are default fields for maintaining the IP address and device information, if required.

Table 32. Field descriptions for the Generic Fields
Field	Description
Device Name	Enter the name of the device.
Application IP Address	Enter the IP address of the application.
Tracking ID	A free-form business alpha-numerical identifier, included in the audit logs, that may be used to correlate audit logentries (typically enrollment and revocation events)
Certificate holder Email	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). An email address that may be used to send notifications to certificate holder depending on the notification policies configured for the requested workflow
First name	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). First name (as a metadata) associated with the certificate to be enrolled
Last name	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Last name (as a metadata) associated with the certificate to be enrolled
Organization	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Organization name (as a metadata) associated with the certificate to be enrolled
Comment	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Additional information (as a metadata) associated with the certificate to be enrolled
UUID	Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA). Universal Unique Identifier, or UUID, (as a metadata) associated with the certificate to be enrolled

Table 33. Field descriptions for the **common** vendor specific details
Field	Description
Certificate ID	The Certificate ID is auto-populated based on the value entered in the Common Name field (in the CSR Parameters section). The Certificate ID can be modified by the user. If the user edits the Certificate ID, any change to the Common Name will not reflect in the Certificate ID. If the user deletes the Certificate ID, the value of the Certificate ID field is set to the Common Name suffixed with the timestamp.

Table 34. Field descriptions for the **DigiCert CA** vendor specific details
Field	Description
*Server Type	From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
*Payment Method	From the dropdown list, select one from the following payment methods: Bill To Account Balance: This option allows you to pay for the DigiCert certificate using the available balance in your DigiCert account. Note: Ensure that the option to bill to account balance is enabled for the account and the account has sufficient balance. Bill To Default Credit Card: This option will charge the cost of the DigiCert certificate to the credit card set as the default payment method in your DigiCert account. Note: Ensure that a credit card is configured as the default payment method for your account.
Additional Email	Enter email addresses that will receive notifications for renewals, reissues, and duplicates for the specified order.
Renewal Message	Enter a custom message that will be sent with the renewal notifications.
Notes	Enter a custom note that will be sent with the order.
*: Mandatory fields

Table 35. Field descriptions for the **Hydrant ID CA** vendor specific details
Field	Description
Expiry Emails	Enter a comma-separated list of email addresses that will receive the certificate expiry notification from HydrantID. Note: HydrantID CA does not accept updates to these email addresses during the renewal process.

Table 36. Field descriptions for the **Nexus CA** vendor specific details
Field	Description
Procedures	The Procedures dropdown list will display only the procedures mapped to the server and the default procedure. From the dropdown list, select the required procedure.

Click Add.
Once the details are added, you will be redirected to a page where the CSR and CA details are added as a connector. This page is called the holistic view and from here, any action on the certificate can be performed including provisioning the certificate to a server.
On the holistic view, click the Submit button to trigger the request.
The submit action is triggered and the Submit dialog box is displayed.
Enter your comments in the text field and click Yes.
If the approval required option is enabled in the CA policy, the request is moved to the Approve and Implementation stages.
Click Approve to proceed.
The Approve dialog box is displayed.
Enter your comments in the text field.

Note: If the workflow request has to be approved automatically in the future, click the Schedule later button .
Click Yes.
Once the approval process is completed, the Implement option is displayed in the holistic view.
Click Implement.
The Implement dialog box is displayed.
Enter your comments in the text field.
If the workflow request has to be implemented automatically in the future, click Schedule later .
Click Yes.
CSR Submission to CA is in progress.Once the CSR submission is successful, the request state will be changed to Submit certificate - retrieval in progress state.
If the enrollment request is compliant with conditions defined and auto-approval enabled in the targeted CA, the certificate will be fetched in a few seconds.
If auto-approval disabled in the targeted CA, you will have to be logged into the CA and approve the request.
Once the certificate is issued successfully, the certificate will be retrieved into AppViewX. You can now push the enrolled certificate(s) to the required endpoint.

Pushing Certificates to Microsoft Azure API Management

Important: Read the pre and push script usage instructions here.

Adding an Application Connector for Azure API Management

On the certificate holistic view, click Add Connector.

Enter/Select the General Information for the connector.

Table 37. Field descriptions for the connector General Information
Field	Description
*Category	From the dropdown list, select Cloud.
*Vendor	From the dropdown list, select Azure.
Service Types	From the dropdown list, select Api Management.
*Connector Name	Enter a name for this connector, to be able to identify it later. Tip: AppViewX recommends naming connectors according to use cases so they are easily distinguishable.
Description	Enter any additional details you want to record for this connector.

Based on the information entered here, the SSL templates section is populated with the list of available Microsoft Azure devices already onboarded in AppViewX.

To select the device(s) to which the certificate will be pushed, under SSL templates, from the list of Available Devices, for the required device(s), click .
The Selected devices list is updated automatically.

Enter/Select the Certificate Details.

Table 38. Field descriptions for the Certificate Details
Field	Description
*Certificate Type	From the dropdown list, select the file type of the certificate to be pushed.
*Certificate File Name	Enter the file name of the certificate to be pushed. The file extension is auto-populated based on the Certificate Type selected.
Certificate Push Type	Certificate push type specifies the mechanism that will be used for pushing certificates to the targeted service. For the Azure Api management service, certificate push type has the following values: Upload a Certificate to Api Management (for uploading a new certificate) Replace/Update existing Certificate in Api Management (for renewing/replacing an existing certificate) Important: For the Azure Api management service, this field is disabled for editing and the Upload a Certificate to App Service is selected by default.
Certificate Location	From the following options, select where the certificate will be stored after it is pushed: Upload directly to Api Management: Upload certificates directly to the Application Gateway Choose from Azure Key Vault: Store certificates in Azure Key Vault and then reference them in the Api Management configuration.
Push Root and Intermediate Certificates	To push the root and intermediate certificates, along with the end certificate, select this checkbox.

Enter/Select the Push Details.

Table 39. Field descriptions for the Push Details
Field	Description
Pre - Push Script File Name	Enter the file name of the pre-push script. Important: Read the pre and push script usage instructions here.
Post - Push Script File Name	Enter the file name of the post push script. Important: Read the pre and push script usage instructions here.
Push Automatically	To automatically push the certificate after it is renewed/reissued to the target system, enable this checkbox. Note: The auto push feature for a certificate works only if enabled for the certificate application connector as well the associated certificate group. To enable this feature at the certificate group level, refer the instructions here.

Click Save.
The connector is displayed on the certificate holistic view.

Pushing a Server Certificate

Go to (Menu) > CERT+ > CERTIFICATE ACTION > Push to Device > Server.
The Server Certificate page is displayed.
To push a certificate, under Common Name, click the required certificate.
The certificate topology view is displayed.
Click Push to Device. The Push to Device option will be shown if the app connector is already added to the certificate otherwise add the app connector and then proceed.
Note:
- Only server certificates that include their private keys will be eligible for push operations to cloud connectors.
  After push, during subsequent discovery, when the CC machine is healthy and discovery returns the pushed certificate, the pushed AppConnector should be in Sync status, else the associated AppConnector must be transitioned to an Out of Sync status.
  If a new certificate is pushed to the gateway while the old certificate for the AppConnector still exists in the inventory, then after the next discovery, the AppConnector must move to Out of Sync status for the old certificate.
- Endpoint CSR generation is not supported for cloud connectors.
- The Push to Device option is displayed only after an app connector is added to certificate.
The Confirmation dialog box is displayed.
Enter your comments, if required, in the text field.
Click OK.
- The approval process is triggered. The current flow is based on the default policy of two-level approvals.
- A request ID and work order ID are generated automatically and the work order status is displayed alongside the connector in the certificate topology view.
To approve the push request, from the certificate topology view, click Approve.
In the Confirmation dialog box:
1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
2. If you select Off, set the date and time to schedule the certificate push.
3. Enter your comments in the text field and click Yes.
The work order status displayed beside the connector updates to Push-Review In Progress.
To implement the push request, from the certificate topology view, click Implement.
In the Confirmation dialog box:
1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
2. If you select Off, set the date and time to schedule the certificate push.
3. Enter your comments in the text field and click Yes.
The push action is triggered. After the push action is completed, the status updates to Completed.
To refresh the certificate topology view, from the top-right corner of the screen, click Refresh.
An automatic HTTPS-based verification job is run at regular intervals to validate that certificates are correctly installed after the push operations triggered between the intervals; the system compares served certificates with the expected ones across all associated IP:ports. The data gathered by this job is used to create the Push Validation Report that highlights the proportion of successful versus failed push operations, providing a quick view of overall push reliability.

Pushing a Client Certificate

Go to (Menu) > CERT+ > CERTIFICATE ACTION > Push to Device > Client.
The Client Certificate page is displayed.
To push a certificate, under Common Name, double click the required certificate.
The certificate topology view is displayed.
Click Push to Device. The Push to Device option will be shown if the app connector is already added to the certificate otherwise add the app connector and then proceed.

Note: The Push to Device option is displayed only after an app connector is added to certificate.

The Confirmation dialog box is displayed.
Enter your comments, if required, in the text field.
Click OK.
- The approval process is triggered. The current flow is based on the default policy of two-level approvals.
- A request ID and work order ID are generated automatically and the work order status is displayed alongside the connector in the certificate topology view.
To approve the push request, from the certificate topology view, click Approve.
In the Confirmation dialog box:
1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
2. If you select Off, set the date and time to schedule the certificate push.
3. Enter your comments in the text field and click Yes.
The work order status displayed beside the connector updates to Push-Review In Progress.
To implement the push request, from the certificate topology view, click Implement.
In the Confirmation dialog box:
1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
2. If you select Off, set the date and time to schedule the certificate push.
3. Enter your comments in the text field and click Yes.
The push action is triggered. After the push action is completed, the status updates to Completed.
An automatic HTTPS-based verification job is run at regular intervals to validate that certificates are correctly installed after the push operations triggered between the intervals; the system compares served certificates with the expected ones across all associated IP:ports. The data gathered by this cron job is used to update the Push Validation Report that highlights the proportion of successful versus failed push operations, providing a quick view of overall push reliability.

Enabling Auto Regeneration of Certificates

Enabling Auto Regeneration for a Certificate Group

You can enable and configure the auto regeneration feature at the certificate group level, which will apply to all certificates assigned to that group.

For details and instructions to enable auto regeneration at the certificate group level, click here.

Enabling Auto Regeneration at the Certificate Level

Enabling Auto Regenerate for Certificate Enrollment

While you can enable auto regenerate for all types of certificates, for clarity, in this section, we'll look at the instructions for enabling auto regenerate for a server certificate.

For details and instructions to enable auto regeneration at the time of server certificate enrollment, click here.

Enabling Auto Regenerate for Discovered Certificates

While you can enable auto regenerate for all types of certificates, for clarity, in this section, we'll look at the instructions for enabling auto regenerate for a server certificate.

Go to Menu > CERT+ > Certificate Inventory > Server.
The Server Certificate inventory is displayed.
From the inventory, for the certificate you want to enable auto push for, click the common name.
The holistic view of the selected certificate is displayed.
For an existing CA connector for the certificate, hover over .
From the menu displayed, click Edit.
The certificate details are displayed.
Under CA Details, turn on the Regenerate Automatically toggle.
In the Start Regenerating field, enter the number of days before expiration when the certificate should be regenerated.
Click Update.
The holistic view of the selected certificate is displayed.
Note: For the auto regenerate process to take effect, set the auto push in the application connector. Refer to the Enabling Auto Push section.

Enabling Auto Push of Certificates to Endpoints

After setting the auto renew/regenerate in the CA connector, you must now enable the auto push in the application connector to ensure the renewed/regenerated certificates are pushed to the end device.

To enable auto push of certificates, you need to enable the corresponding option for the group to which the certificate in question belongs, as well as the connector created for that certificate.

To enable auto push for the certificate group:
1. Go to Menu > CERT+ > Groups & Policies > Groups.
  The Group page is displayed.
2. From the Name field, select the required certificate group.
  The Group : Modify : <group name> page is displayed.
3. From the Other Details section of this certificate group, turn on the Push Certificate Automatically toggle button.
4. Click Update.
To enable auto push for the certificate connector:
1. From the holistic view, for an existing application connector for the certificate, hover over (More) icon.
  To add an application connector, follow the instructions given here.
2. From the menu displayed, click Edit.
  The Edit Application Connector pop-up is displayed.
3. Select the Push automatically checkbox.
  
  Important: The auto-push feature works only when it is enabled at the connector level and disabled at the group level. If enabled at the group level but disabled at the connector level, the feature will not function.
4. Click Save.
  The holistic view of the selected certificate is displayed.
  Note: An Auto Renew Certificates job is scheduled to run every 6 hours. It auto renews the configured certificates based on the number of days before expiry. AppViewX will disable the push automatically option in the Parent certificate application connector and enable it in the renewed certificate application connector.
  Note: An Auto Regenerate Certificates job is scheduled every day. It auto regenerates the configured certificates based on the number of days before expiry.

With API Management Integration

Microsoft Azure API Management

Prerequisites for Onboarding Azure API Management Settings in AppViewX

Permissions Required

Onboarding Azure Settings in AppViewX for API Management

Onboarding Certificates for Microsoft Azure Devices in AppViewX

Discovering Certificates for Microsoft Azure Resources

Enrolling Certificates

Enrolling a Server Certificate

Prerequisites

Enrolling a Server Certificate

Enrolling Client Certificates

Pushing Certificates to Microsoft Azure API Management

Adding an Application Connector for Azure API Management

Pushing a Server Certificate

Pushing a Client Certificate

Enabling Auto Regeneration of Certificates

Enabling Auto Regeneration for a Certificate Group

Enabling Auto Regeneration at the Certificate Level

Enabling Auto Regenerate for Certificate Enrollment

Enabling Auto Regenerate for Discovered Certificates

Enabling Auto Push of Certificates to Endpoints

References