Entrust PKI Hub 1.0.0 - Installation and Administration Guide [PDF]

Create this destination to install the issued certificates as the server TLS certificate of an Apache web server. Note that:

On certificate issuance, Certificate Hub ignores any client-generated CSR and uses instead a CSR generated at the destination along with the key pair.
On renewal, the operating system timestamp may remain the same, but the contents of the certificate are always updated.

See below for how to create an Apache web server destination.

To create an Apache web server destination in Certificate Hub

If not already installed, install Python 3.9 or newer on the Nginx web server.
Log in as an administrator with one of the following roles:
- The global_admin role.
- A <user_defined> role with permission to create destinations.
Go to Automate > Destinations.
Click Create to configure the following settings.
Click Verify to check the connection with the destination.
Check the fingerprint of the host key displayed after the verification.
If you trust the key, click Create to confirm the destination creation.

Label

A descriptive name of the destination.

Owner

The username of the destination owner.

The user who adds the destination is automatically made the owner. You can later edit this field and assign ownership to someone else.

Description

A description of the destination purpose.

Authorization Tags

A list of authorization tags. The Custom Roles with any of these tags will grant permissions on the source.

Select Destination Type

Select the following value.

Apache-Webserver-Plugin

Host

The hostname or IP address of the machine hosting the web server.

User

The username for opening an SSH session in the machine hosting the web server.

Password

The user password for opening an SSH session in the machine hosting the web server. Skip this optional parameter if the user will authenticate with a private key.

Private Key File

Click Select File to import a keystore containing the user's private key. Skip this optional parameter if the user will authenticate with a password.

Private Key Password

The password of the keystore containing the user's private key. Skip this optional parameter if the user will authenticate with a password.

Certificate Destination

The path of the certificate and the key in the machine hosting the Apache web server, Select default to publish the certificate and the key in the following default paths.

OS	Certificate path	Key path
Debian	/etc/ssl/certs/localhost.crt	/etc/ssl/private/localhost.key
Redhat	/etc/pki/tls/certs/localhost.crt	/etc/pki/tls/private/localhost.key.

Select customized to set the certificate and key path in the following fields.

Destination Certificate Path
Destination Key Path

Is sudo access required?

Check this box if pushing the certificate and the key in the destination requires sudo access.

Sudo password

The password of a user with sudo permission. Skip this field if Is sudo access required? is not checked,

This password is typically the SSH password of the user selected in the User field.

Restart the Apache web server

Whether to restart the web server after pushing the certificate and the key. If you select Yes, enter the TLS port of the host machine in the additional HTTPS Port field.

The standard TLS port is 443.