Import Operations

Import operations are designed to import certificate into Horizon without any metadata. This is useful mainly when installing Horizon, e.g. to import all certificates from an existing PKI database.

Local Import

In order to be able to import certificates, you need to put them as PEM files in a folder, and launch Horizon Client by pointing at that folder. Horizon Client will recurse on the folder, find all PEM files, and import certificates into Horizon. It is advised to use sub-folders to store certificates, so that you avoid to hit any file-per-folder file system limit.

horizon-cli localimport --campaign=test --path=/path/to/certs --source=MyADCS

By default, this command does not import CA certificates. To import CA certificates, use the --enable-ca-import flag.

horizon-cli localimport --campaign=test --path=/path/to/certs --source=MyADCS --enable-ca-import

If you wish to import certificates along with their private keys (e.g. when importing from a PKI escrow), you need to put them as PKCS#12 files in a folder, and launch Horizon Client by pointing at that folder. Horizon Client will recurse on the folder, find all PEM files, and import certificates into Horizon. It is advised to use sub-folders to store certificates, so that you avoid to hit any file-per-folder file system limit. All the PKCS#12 files must be encrypted using the same password that will be passed to Horizon Client using the command line.

horizon-cli localimport --campaign=test --path=/path/to/certs --source=MyADCS --pfx-password=<pkcs12_password>

You can also import certificates from a csv file. Certificates must be in a column named "certificate". As of now, three formats are supported:

  1. DERBase64: Certificate in DER (binary) Base 64 encoded (default);

  2. DERHex: Certificate in DER (binary) Hex String encoded;

  3. PEM: Certificate in PEM (with or without the certificate header and footer).

horizon-cli localimport --campaign=test --csv /path/to/csv/file.csv --csv-separator ";"

In order to add technical metadata to the imported certificate, the --csv-metadata flag can be used to import metadata from a column with the same name. For example, to configure a pki_connector on each certificate with a file containing the pki_connector column:

horizon-cli localimport --campaign=test --csv /path/to/csv/file.csv --csv-separator ";" --csv-metadata pki_connector

Supported metadata are:

  • pki_connector

  • certeurope_id

  • digicert_id

  • digicert_order_id

  • entrust_id

  • fcms_id

  • gsatlas_id

  • metapki_id

Network Import

DigiCert CertCentral

You can import all your valid certificates from DigiCert CertCentral. Please note that only certificates in "issued" state can be imported. Certificates that are revoked will not be imported.

horizon-cli netimport digicert --campaign=test --digicert-api-key=<api-key>

AWS ACM

You can import all your valid certificates from AWS ACM. Please note that only certificates in "issued" state can be imported. Certificates that are revoked will not be imported.

horizon-cli netimport aws-acm --campaign=test --aws-region=<aws-region> --access-key-id=<aws-access-key-id> --secret-access-key=<aws-secret-access-key>

AWS Role Assumption is supported. You need to provide the ARN of the role you wish to assume using the --assume-role-arn option.

Azure Key Vault

You can import all your valid certificates from Azure Key Vault. Please note that only certificates in "issued" state can be imported. Certificates that are in pending state will not be imported.

horizon-cli netimport akv --campaign=test --vault-name=<vault short name> --azure-tenant=<tenant name> --client-id=<client app Id> --client-secret=<client app secret>

F5 BIG-IP

You can import all your valid certificates from F5 BIG-IP.

horizon-cli netimport bigip --campaign=test --hostname=<F5 BigIp hostname> --login=<F5 BigIp login> --password=<F5 BigIp password>

It is also possible to import the certificates as managed certificates in Horizon. This will allow renewal and removal of the certificate upon revocation using Horizon’s triggers mechanism.

In order to activate this behavior, the connector property must reference a valid F5 Connector in Horizon.

horizon-cli netimport bigip --campaign=test --connector=<Horizon F5 Connector name> --hostname=<F5 BigIp hostname> --login=<F5 BigIp login> --password=<F5 BigIp password>
In order for the trigger mechanism to work correctly, an Horizon WebRA profile must use the F5 Connector trigger and a schedule task should reference the connector and the WebRA profile.