Skip to content

Setting Up Certificate Installation

This guide walks through configuring certificate installation on the Zaita platform — both automated deployment via a Bridge and manual download. For background on how installation works, see Certificate Installation — Introduction.

Prerequisites

Before setting up certificate installation, ensure the following are in place:

  • At least one certificate has been provisioned and is active in the certificate inventory.
  • If using automated deployment, a Bridge is deployed and connected.
  • You have the Deployment Administrator or Super Administrator role.

Option 1 — Automated Deployment via Bridge

Automated deployment uses a Bridge to push certificates to target systems within your network.

Step 1 — Configure a Target System

  1. Navigate to CLM → Target Systems.
  2. Select Add Target System.
  3. Fill in the target system details:
Field Description
Name A descriptive name for the target system (for example, web-prod-01).
Bridge Select the Bridge that has network access to this target system.
Deployment Type The type of system to deploy to (IIS, Nginx, Apache, or Linux).
Host / Address The hostname or IP address of the target system as reachable from the Bridge.
  1. Configure the deployment-type-specific fields, such as certificate file paths, key file paths, and any service reload commands.
  2. Select Save.

Step 2 — Associate the Certificate with the Target System

  1. Navigate to CLM → Certificates and open the certificate you want to deploy.
  2. Select Add Target System on the certificate detail page.
  3. Select the target system configured in Step 1.
  4. Select Save.

Step 3 — Deploy the Certificate

  1. On the certificate detail page, select Deploy to Target Systems.
  2. The platform instructs the Bridge to push the certificate to all associated target systems.
  3. The deployment status for each target system is shown on the certificate detail page.

A successful deployment records the deployment time and updates the target system's status to deployed.

Option 2 — Manual Download and Installation

Step 1 — Download the Certificate

  1. Navigate to CLM → Certificates and open the certificate you want to install.
  2. Select the appropriate download format:
  3. Download Certificate — downloads the certificate as a PEM-encoded .crt file.
  4. Download PFX — downloads the certificate and private key as a password-protected .pfx file (Local PKI certificates only).

For PFX downloads, copy the generated password from the dialog before downloading. The password is not stored and cannot be retrieved after the dialog is closed.

Step 2 — Install the Certificate on the Target System

Install the downloaded certificate according to your target system's requirements. Common deployment scenarios:

Nginx:

ssl_certificate /etc/ssl/certs/your-domain.crt;
ssl_certificate_key /etc/ssl/private/your-domain.key;

Reload Nginx after updating the certificate files.

Apache:

SSLCertificateFile /etc/ssl/certs/your-domain.crt
SSLCertificateKeyFile /etc/ssl/private/your-domain.key

Reload Apache after updating the certificate files.

Windows / IIS: 1. Import the .pfx file into the Windows certificate store using certutil or the Microsoft Management Console (MMC). 2. In IIS Manager, bind the imported certificate to the appropriate site and HTTPS binding.

Verifying Installation

After deploying a certificate — whether via Bridge or manually — verify that the correct certificate is being served:

openssl s_client -connect your-domain.example.com:443 -showcerts

Confirm that the certificate serial number and expiry date match the certificate in the platform inventory.

Next Steps