Creating an SSL Certificate device

SECURITY  Security level with access to CRM, permission to view organizations of the same type, and object permissions to add devices

NAVIGATION  Create > CRM > Device

NAVIGATION   > CRM > Search > Organizations > click Search > click an organization name >  accessory tabs > Devices > New

NAVIGATION   > Contracts > Contract > Search >  View Contract > Contract Detail > Devices > New

IMPORTANT  Automated retrieval of WHOIS information, DNS records, and SSL certificates requires that the Domain & SSL Tracking feature is enabled. Refer to Enabling domain & SSL certificate tracking.

In addition to creating an SSL certificate when you create the domain, you can also create the certificate manually.

Populating SSL Certificate-specific fields

For general information about creating a device, refer to Adding and editing devices. Populate the category-specific fields as follows:

  1. To open the page, use the path(s) in the Security and navigation section above.
  2. Select SSL Certificate as the Device Category.
    The SSL Source component and field will appear on the Main panel of the New Device page.
  3. The required Product field will default to the system product None but can be changed. Best practice is to create a product named SSL Certificate and assign it as the default product for SSL certificate devices. Refer to Adding, editing, or copying a product.
  4. Complete all required fields and enter an SSL Source.
Field Name Description

SSL Source

Enter a PEM Encoded Certificate. If automatic retrieval is enabled, you can optionally also enter a certificate Host.

EXAMPLE  for Certificate Host(s) with valid formatting:
www.datto.com
datto.com
http://datto.com
https://datto.com
portal.datto.net
demo.shop.datto.com (uncommon, but it is possible to have multiple sub-domains)

For PEM certificates, the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines are required.

EXAMPLE  for PEM-encoded certificate:
-----BEGIN CERTIFICATE----- MIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0 ZSBhdXRob3JpdHkwHhcNMTEwNTIzMjAzODIxWhcNMTIxMjIyMDc0MTUxWjB9MQsw CQYDVQQGEwJCRTEPMA0GA1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2Vy dGlmaWNhdGUgYXV0aG9yaXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdu dVRMUyBjZXJ0aWZpY2F0ZSBhdXRob3JpdHkwWTATBgcqhkjOPQIBBggqhkjOPQMB BwNCAARS2I0jiuNn14Y2sSALCX3IybqiIJUvxUpj+oNfzngvj/Niyv2394BWnW4X uQ4RTEiywK87WRcWMGgJB5kX/t2no0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1Ud DwEB/wQFAwMHBgAwHQYDVR0OBBYEFPC0gf6YEr+1KLlkQAPLzB9mTigDMAoGCCqG SM49BAMCA0gAMEUCIDGuwD1KPyG+hRf88MeyMQcqOFZD0TbVleF+UsAGQ4enAiEA l4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= -----END CERTIFICATE-----

NOTE  PEM Encoded SSL certificates will not auto-update.
  1. Click Save.
  2. If validation fails, the device will not be saved, and an error message will appear above the toolbar.

  3. Cause Error Message

    Invalid entry such as \datto.com

    Please double-check your input and try again (Invalid URI Format)

    Invalid entry such as htps:\\datto.com

    Please double check your input and try again (HttpWebRequest error)
    Source does not exist: lalala.com SSL Certificate not found. Please check spelling and try again.

    No value for Certificate Authority returned

    Unable to retrieve SSL Details

    PEM Certificate could not be validated due to invalid format, or more than one SSL certificate was returned.

    Unable to process PEM-encoded certificate. Please double-check certificate and try again.

 

If validation is successful, the SSL Details fields will be populated. If you entered a certificate host, the information will be retrieved, if you entered a PEM certificate, it will be decoded locally.

Viewing SSL Details

If the SSL certificate is valid and you are able to save the device, an additional component, SSL Details, will appear. By default, it is displayed below the Description component.

The following view-only fields appear in both View and Edit mode:

Field Name Description
Common Name The Common Name (CN) represents the server name protected by the SSL certificate. It can be a single host name (example: datto.com) or a wildcard name (example: *.datto.com). If the certificate is installed on a subdomain, for example the api subdomain, the common name would be api.datto.com.
Valid From The earliest time and date on which the certificate is valid.
Valid Until The time and date past which the certificate is no longer valid.
Issued By The Certificate Authority that issued the SSL certificate, verified the information, and signed the certificate. Example: DigiCert SHA2 Secure Server CA.
Organization The organization that owns the domain for which the SSL certificate was issued. Example: Datto, Inc.
Organizational Unit The department or division of the organization that has requested the SSL certificate. Example: IT
Location The city where the organization is located. Example: Norwalk, Connecticut, US.
Serial Number Used to uniquely identify the certificate within a Certificate Authority's systems. In particular this is used to track revocation information.
Signature Algorithm The algorithm used to sign the public key certificate. Example: sha256RSA.
Subject Alternative Names Any additional domains for which the SSL certificate is valid, separated by the pipe character. Example: *.datto.com | datto.com.

Updating SSL certification details

IMPORTANT  Once the Domain or SSL Certificate category has been selected for a device, you cannot change the category in either the UI or the API.

IMPORTANT  Autotask is not updating the certificate or domain itself. It is updating our audit of the certificate or domain information.

Update schedule

Autotask will check and update domains and non-PEM SSL certificates on a schedule that increases in frequency as you get closer to the expiration date:

  • > 90 days: update every 30 days

  • > 30 days: update every 7 days

  • > 7 days: update every 48 hours

  • ≤ 7 days: update every 24 hours

This schedule is updated whenever the expiration date or time is updated, either by using the Update Domain Details feature, or when a user manually updates the expiration details.

Behavior when domains are activated or inactivated

For active domains and non-PEM SSL certificates, auto-updates will run even if they are expired. The following rules apply for inactivating and activating domains and non-PEM CI certificates:

  • If a non-PEM SSL certificate or domain device is inactivated or created as inactive, existing auto-updating jobs will be deleted, and no new ones will be created. However, you can still attempt to make manual updates.

  • If an inactive non-PEM SSL certificate or domain device is activated, auto-updating jobs will be created on the schedule above.

No auto-updating jobs are ever created for PEM certificates.

  • If the WHOIS details were successfully retrieved but the DNS records were not, another auto-updating job is scheduled one hour later.

If you have made changes to a domain or SSL certificate, you may want to confirm that the changes have been picked up. Rather than waiting for the next scheduled update, you can initiate an update from either the Tools menu on the Device page, or the context menu of Device tables.

  1. Select Update Domain Details or Update SSL Certificate Details to trigger a forced check.

    If you are editing a domain, you can select Save & Update Domain Detail or Save & Check for SSL Certificate.

  2. A confirmation message will let you know that the domain or the certificate were updated. Click OK.

  3. The page will be refreshed, and a note is added to the Activity feed, even if there are no changes.

    If there were any changes to the domain or certificate, a new RAW file is added. See below.

When an SSL certificate is checked and/or updated, a read-only system note in RAW format is added with the details from the update.

If the SSL certificate details did not change, a note will let you know that the SSL certificate was updated, but no changes were found.