Getting started with AQG Protect↑

This guide will show you how to enroll and deploy certificates in AQG Protect. Enrolling certificates brings them under centralized control in AQtive Guard, enabling continuous monitoring, policy application, and automated lifecycle management.

Enroll a certificate↑

1. Log into AQtive Guard and select Protect in the main menu.
2. Select the Certificates tab, then select Enroll new certificate.

You’re now ready to choose your desired certificate management option.

Choose your management option↑

AQG Protect offers two options for certificate management, allowing you to choose the level of automation and control that best aligns with your operational requirements:

• Store & Track - With this option, your certificate is securely stored within AQG Protect. An issue will be raised in AQtive Guard when your certificate nears expiration, so you can proactively plan manual rotation.
• Fully Managed - This option provides all the benefits of Store and Track — your certificate is securely stored with AQG Protect and its signature activity is monitored. Additionally, AQG can automatically rotate your certificates based on a defined policy and your chosen Certificate Authority (CA). You also have the flexibility to manually rotate certificates and update credentials directly within AQG.

Enroll in Store & Track↑

To enroll your certificate using the Store & Track option, you’ll need to obtain the following details from your certificate provider:

• FQN (Fully Qualified Name) - This is the complete, unambiguous name for your certificate. It helps AQG Protect identify and categorize the certificate for management. This name must be unique.
• Certificate (PEM) - The certificate itself, provided in Privacy-Enhanced Mail (PEM) format. This is the public part of your certificate.
• Private key (PEM) - The corresponding private key for the certificate, also in PEM format.
• Web server CNAME - The Canonical Name (CNAME) of the web server where this certificate will be deployed. This helps AQG associate the certificate with its operational environment.

Once you’ve entered these details, select Enroll Certificate.

On the next screen, you can either deploy your certificate immediately by selecting Get deployment details, or select Do this later to defer deployment.

Enroll as Fully Managed↑

To enroll in the Fully Managed option, you’ll need to provide the details necessary for AQG Protect to interact directly with your Certificate Authority (CA) or other infrastructure components as required to automate certificate lifecycle management.

The following information is required:

• FQN (Fully Qualified Name) - This is the complete, unambiguous name for your certificate within AQG Protect. It helps identify and categorize the certificate for management. This name must be unique.
• ACME Challenge Type - Select the method for Automatic Certificate Management Environment (ACME) validation from the dropdown menu. This proves you control the domain for which the certificate is being issued:
  • HTTP - (HTTP-01) The ACME CA challenges the client to host a random number at a random URL under /.well-known/acme-challenge on port 80. The CA verifies client control by issuing an HTTP GET request to that URL.
  • TLS - (TLS-ALPN-01) The ACME CA uses TLS to validate a challenge, leveraging application layer protocol negotiation (ALPN) in the TLS handshake. The client presents a self-signed TLS certificate containing the challenge response as a special X.509 certificate extension.
• Certificate Authority - Choose the Certificate Authority (CA) that will issue and manage your certificate. Options include:
  • Step-CA by Smallstep
  • Let’s Encrypt
• Security policy - Select the security policy that will govern this certificate’s automated management from the dropdown menu.
• CNAME - The Canonical Name (CNAME) for the web server where this certificate will be deployed. This helps AQG associate the certificate with its operational environment.
• TTL (Time to Live) - Select the certificate’s validity duration from the dropdown menu:
  • 4 hours
  • 8 hours
  • 12 hours
  • 16 hours
  • 20 hours
  • 24 hours

When ready, select Enroll Certificate.

On the next screen, you can either deploy your certificate immediately by selecting Get deployment details, or select Do this later to defer deployment.

Deploy your certificate↑

An enrolled certificate isn’t active until deployed. You can deploy a certificate as a final step in the enrollment process, or at a later time.

Deployment during enrollment↑

After you click Enroll Certificate, you’ll see a confirmation message that you’ve enrolled your certificate. To deploy the certificate, select Get Deployment Details. This will take you directly to the newly enrolled certificate in Protect. The certificate details panel will open, displaying all the necessary deployment information you’ll need to copy and paste into your environment.

Deferred deployment↑

When you select Do this later at the time of enrollment, your certificate will be enrolled but inactive. It will appear as Awaiting deployment in AQG Protect.

When you’re ready to deploy your certificate:

1. From the main menu select Protect.
2. In the Certificates tab, locate the certificate you want to deploy.
3. Select Details at the end of the row to display the deployment information you’ll need to copy and paste into your environment.

Deployed certificates↑

A deployed certificate has an Active status in the Certificates tab in AQG Protect. Protect setting indicates whether the certificate is enrolled in Store & Track or Fully managed.

Once the certificate has been deployed using either option, you’ll see two related fields in the certificate details:

• Data sources - this will be either AQG Protect - Store & Track or AQG Protect - Fully Managed.
• AQG Protect status - the operational status of the certificate, with a link to view the certificate in the Protect area.