Skip to content

Getting started with AQG Protect

AQtive Guard (AQG) Protect manages the entire lifecycle of non-human identities (NHI), securing them to the last mile. AQG Protect integrates with AQG Discover to provide an end-to-end workflow for finding and remediating cryptographic issues.

Credentials managed in AQG Protect benefit from:

  • Automated rotation
  • Real-time usage observability
  • Secure storage throughout the lifecycle
  • Smooth cryptographic migrations for crypto-agility

This guide explains how to enroll certificates in AQG Protect. Enrolling certificates brings them under centralized AQtive Guard control, which enables continuous monitoring, policy application, and automated lifecycle management.

Important

Activating a certificate in AQG Protect is a 2-stage process: enrollment and deployment. After a certificate is enrolled, it appears as Awaiting deployment in AQG Protect. It becomes Active once it’s deployed.

Enroll a certificate

  1. Log into AQtive Guard and select Protect in the main menu.
  2. Select the Certificates tab, then select Enroll new certificate.

You’re now ready to choose your desired certificate management option.

Choose your management option

AQG Protect offers two options for certificate management, allowing you to choose the level of automation and control that best aligns with your operational requirements:

  • Store & Track - With this option, your certificate is securely stored within AQG Protect. An issue will be raised in AQtive Guard when your certificate nears expiration, so you can proactively plan manual rotation.
  • Fully Managed - This option provides all the benefits of Store and Track — your certificate is securely stored with AQG Protect and its signature activity is monitored. Additionally, AQG can automatically rotate your certificates based on a defined policy and your chosen Certificate Authority (CA). You also have the flexibility to manually rotate certificates and update credentials directly within AQG.

Note

Currently supported CAs include Let’s Encrypt and Smallstep.

Enroll in Store & Track

To enroll your certificate using the Store & Track option, you’ll need to obtain the following details from your certificate provider:

  • FQN (Fully Qualified Name) - This is the complete, unambiguous name for your certificate. It helps AQG Protect identify and categorize the certificate for management. This name must be unique.
  • Certificate (PEM) - The certificate itself, provided in Privacy-Enhanced Mail (PEM) format. This is the public part of your certificate.
  • Private key (PEM) - The corresponding private key for the certificate, also in PEM format.
  • Web server CNAME - The Canonical Name (CNAME) of the web server where this certificate will be deployed. This helps AQG associate the certificate with its operational environment.

Once you’ve entered these details, select Enroll Certificate.

On the next screen, you can either get your deployment details immediately by selecting Get deployment details, or select Do this later to retrieve them at another time.

When you’re ready to deploy your certificate, refer to Deployment orchestration for details.

Enroll as Fully Managed

To enroll in the Fully Managed option, you’ll need to provide the details necessary for AQG Protect to interact directly with your Certificate Authority (CA) or other infrastructure components as required to automate certificate lifecycle management.

The following information is required:

  • FQN (Fully Qualified Name) - This is the complete, unambiguous name for your certificate within AQG Protect. It helps identify and categorize the certificate for management. This name must be unique.
  • ACME Challenge Type - Select the method for Automatic Certificate Management Environment (ACME) validation from the dropdown menu. This proves you control the domain for which the certificate is being issued:
    • HTTP - (HTTP-01) The ACME CA challenges the client to host a random number at a random URL under /.well-known/acme-challenge on port 80. The CA verifies client control by issuing an HTTP GET request to that URL.
    • TLS - (TLS-ALPN-01) The ACME CA uses TLS to validate a challenge, leveraging application layer protocol negotiation (ALPN) in the TLS handshake. The client presents a self-signed TLS certificate containing the challenge response as a special X.509 certificate extension.
  • Certificate Authority - Choose the Certificate Authority (CA) that will issue and manage your certificate. Options include:
    • Step-CA by Smallstep
    • Let’s Encrypt
  • Security policy - Select the security policy that will govern this certificate’s automated management from the dropdown menu. Refer to Policy template settings for details.
  • CNAME - The Canonical Name (CNAME) for the web server where this certificate will be deployed. This helps AQG associate the certificate with its operational environment.
  • TTL (Time to Live) - Select the certificate’s validity duration from the dropdown menu:
    • 4 hours
    • 8 hours
    • 12 hours
    • 16 hours
    • 20 hours
    • 24 hours

Tip

Once all information is entered correctly, the Certificate to enroll section will populate. Review the information to verify you’re enrolling the correct certificate.

When ready, select Enroll Certificate.

On the next screen, you can either get the necessary deployment details immediately by selecting Get deployment details, or select Do this later to retrieve them at another time.

When you’re ready to deploy your certificate, refer to Deployment orchestration for details.