To become familiar with the latest updates to the Keyfactor AnyCA Gateway DCOM product, see Release Notes.
This section describes the steps that need to be taken prior to the AnyCAGateway DCOM installation to install the prerequisites, create the required supporting components, and gather the necessary information to complete the gateway installation and configuration process.
- Review the system requirements (see System Requirements).
- Identify a user with local administrator permissions on the AnyCAGateway DCOM server who will perform the installation (see Identify the Installation User).
- Have the access details for the CA
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. handy including any username/password and/or API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. key(s) as required by your CA. - Have a certificate identified, or request a new one, to use to verify the AnyCAGateway DCOM to the cloud provider CA, if required (see Install a Client Authentication Certificate). You will need to have handy the thumbprint for the certificate.
- Install the chain certificates for the CA (see Acquire and Install a Chain Certificate).
- Determine which templates the AnyCAGateway DCOM will use for enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). and identify both the name in Active Directory and the name on the CA (see Create or Identify Templates).
- Set firewall settings (see Configure Windows Firewall Settings).
- If you're planning to use clustering, prepare the clustering environment and review the clustering requirements (see Configure the Keyfactor AnyCA Gateway DCOM with Clustering (Optional)) before proceeding.
- Choose a logical name The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two). you will use to identify the CA from within the AnyCAGateway DCOM. Since the AnyCAGateway DCOM supports multi-tenancy, you may have more than one CA. Each must have a unique logical name. For more information about multi-tenancy, see Appendix - Multi-Tenancy Environments.
- Identify all users and groups that will need permissions in the AnyCAGateway DCOM and what level of permissions they should have; at least one user needs to be granted full administrative access. If you're using Keyfactor Command, this will include the Keyfactor Command application pool user account and the Keyfactor Command (a.k.a. timer) service user account. Keep the list handy for use in setting enrollment and certificate activity security during the AnyCAGateway DCOM configuration. For more information about configuring security, see the Security section in Edit the JSON Configuration File.
- Determine if the gateway service will run as the default NETWORK SERVICE or an Active Directory service account. If you opt to use the default of NETWORK SERVICE, appropriate permissions will be granted automatically. If you prefer to run as an Active Directory service account, refer to Appendix - Run the Gateway using an Active Directory Service Account for instructions.
- Acquire the applicable CAProxy application and connector DLL file fromKeyfactor or create one internally.