The Keyfactor AnyCA Gateway DCOM uses certificate templates stored in Active Directory, configured to match your CA
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. certificate types, to support enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). for certificates from your CA. When you enroll for a certificate via the AnyCAGateway DCOM, you make a request using the Active Directory template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. and the corresponding type of your CA certificate is requested. Since this template to certificate type mapping is done during the AnyCAGateway DCOM configuration process, you need to create new, or identify existing, templates that will be used for this mapping prior to beginning.
If you have a Microsoft enterprise CA, you can easily create these templates using the Microsoft CA certificate templates MMC snap-in. If you don’t have a Microsoft enterprise CA, you can install the Microsoft Remote Server Administration Tools (RSAT) for Windows and use the Certificate Templates tool within this to manage templates. When you open the Certificate Templates tool for the first time (you’ll need to open it manually in an MMC—it does not appear on the menu), you’ll be offered the option to add the default templates into Active Directory. Doing so will create the necessary starter templates to work from. You can also create the necessary starter templates from the command line using this command:
Figure 576: Install Default Certificate Templates in Environments without a Windows CA
The attributes about templates that matter for the purposes of AnyCAGateway DCOM enrollment are:
-
Validity Period
What is the validity period specified on the template's General tab? Typically, this will be 1 or 2 years.
-
Key Size
What is the Key Size
The key size or key length is the number of bits in a key used by a cryptographic algorithm. specified on the template's Cryptography tab?Keyfactor recommends using key sizes no smaller than 2048 for best security practice.
-
Key Type
Identify the Key Type
The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519). supported for this template, usually RSA or ECC Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers., from the Cryptography tab. -
CA Manager Approval
Is manager approval supported? If the template has the “CA certificate manager approval” flag set on the Issuance Requirements tab, the request will return to Keyfactor Command from the AnyCAGateway DCOM in a pending state and require approval before a certificate is issued.