The CA
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Gateways by Keyfactor allow organizations to request certificates from cloud-based certificate authorities using standard certificate request tools in the same way as one would request certificates against a local CA. This guide covers installation and configuration of the Keyfactor Cloud Gateway.
The Keyfactor Cloud Gateway supports management of digital certificates in a Microsoft CA hosted in a cloud-based environment managed by Keyfactor. The gateway runs and behaves in a similar manner to an Enterprise CA in your local environment without the overhead of needing to manage a full Enterprise CA implementation. This allows the gateway the ability to perform end-to-end certificate lifecycle within the enterprise.
The following certificate management functions are supported by the gateway, when used in conjunction with your managed instance of Keyfactor Command:
- Role based certificate management—Access via familiar Microsoft-like enterprise CA access control lists
- Certificate enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).—Enroll for new certificates via Keyfactor Command or standard OS tools
- Certificate enrollment on behalf of a user—Enroll for new certificates using an enrollment agent certificate and enroll on behalf of functionality via standard OS tools
- Certificate chain retrieval—Retrieve full certificate chain for easy installation
- Certificate inventory view—Comprehensive retrieval and querying of existing certificate information
- Certificate authorization management—Certificate approval/deny workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store.
- Certificate renewal and reissue—Renew a certificate approaching expiration or reissue a certificate not yet eligible for renewal
The gateway implementation includes synchronization of user accounts and groups from your local forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. to the managed forest to ease management of access control for the supported certificate management functions. A highly available solution can be supported using Microsoft failover clustering and the clustering configuration in the gateway.
The Keyfactor Cloud Gateway functions by connecting to the Keyfactor Gateway Receiver in the managed forest. It uses TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. version 1.2 for all API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. communications.