Import Operations

Import operations are designed to import certificate into Horizon without any metadata. This is useful mainly when installing Horizon, e.g. to import all certificates from an existing PKI database.

Local Import

In order to be able to import certificates, you need to put them as PEM files in a folder, and launch Horizon Client by pointing at that folder. Horizon Client will recurse on the folder, find all PEM files, and import certificates into Horizon. It is advised to use sub-folders to store certificates, so that you avoid to hit any file-per-folder file system limit.

horizon-cli localimport --campaign=test --path=/path/to/certs --source=MyADCS

If you wish to import certificates along with their private keys (e.g. when importing from a PKI escrow), you need to put them as PKCS#12 files in a folder, and launch Horizon Client by pointing at that folder. Horizon Client will recurse on the folder, find all PEM files, and import certificates into Horizon. It is advised to use sub-folders to store certificates, so that you avoid to hit any file-per-folder file system limit. All the PKCS#12 files must be encrypted using the same password that will be passed to Horizon Client using the command line.

horizon-cli localimport --campaign=test --path=/path/to/certs --source=MyADCS --pfx-password=<PKCS#12 password>

Network Import

DigiCert CertCentral

You can import all your valid certificates from DigiCert CertCentral. Please note that only certificates in "issued" state can be imported. Certificates that are revoked will not be imported.

horizon-cli netimport digicert --campaign=test --digicert-api-key=<api-key>

AWS ACM

You can import all your valid certificates from AWS ACM. Please note that only certificates in "issued" state can be imported. Certificates that are revoked will not be imported.

horizon-cli netimport aws-acm --campaign=test --aws-region=<aws-region> --access-key-id=<aws-access-key-id> --secret-access-key=<aws-secret-access-key>

AWS Role Assumption is supported. You need to provide the ARN of the role you wish to assume using the --assume-role-arn option.

Azure Key Vault

You can import all your valid certificates from Azure Key Vault. Please note that only certificates in "issued" state can be imported. Certificates that are in pending state will not be imported.

horizon-cli netimport akv --campaign=test --vault-name=<vault short name> --azure-tenant=<tenant name> --client-id=<client app Id> --client-secret=<client app secret>

F5 BIG-IP

You can import all your valid certificates from F5 BIG-IP.

horizon-cli netimport bigip --campaign=test --hostname=<F5 BigIp hostname> --login=<F5 BigIp login> --password=<F5 BigIp password>

It is also possible to import the certificates as managed certificates in Horizon. This will allow renewal and removal of the certificate upon revocation using Horizon’s triggers mechanism.

In order to activate this behavior, the connector property must reference a valid F5 Connector in Horizon.

horizon-cli netimport bigip --campaign=test --connector=<Horizon F5 Connector name> --hostname=<F5 BigIp hostname> --login=<F5 BigIp login> --password=<F5 BigIp password>

In order for the trigger mechanism to work correctly, an Horizon WebRA profile must use the F5 Connector trigger and a schedule task should reference the connector and the WebRA profile.