Certificate Operations

Before adding a certificate to a certificate store in Keyfactor Command, you must approve an orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. to handle the store and create a record for the store in Keyfactor Command. See Orchestrator Management and Certificate Store Operations.

To add a certificate to a certificate store:

1. Highlight the row in the results grid and right-click.
2. Choose Add to a Certificate Store from the right-click menu.

3. When you select the Add to Certificate Store option the Select Certificate Store Locations dialog opens. When you select the certificate stores to which you want to deploy your certificate and click Include, the Add to Certificate Stores dialog appears BEHIND the Select Certificate Store Locations dialog, holding your selection and leaving the Select Certificate Store Locations dialog open for you to continue selecting locations. The final list of selections will only be accessible once you close the Select Certificate Store Locations dialog using the Include and Close button.

   Select Certificate Store Locations Dialog

   The Select Certificate Store Locations dialog allows you to run queries against your certificate store list to select the store(s) to which to deploy. Check the box next to each certificate store location to which you want to distribute the certificate.

   Note:   Certificate stores appear in the grid if:

   • They are compatible with the certificate type.
   • They are in containers to which you have permissions.

   Tip:  You may change the search results by using the search fields at the top of the dialog. All of the Keyfactor Command grid search features are available to assist your search. See Using the Certificate Store Search Feature for more information on the available search fields. The default search criteria is AgentAvailable is equal to True.

   The actions on the Select Certificate Store Locations dialog are:

   • Include

     Click this to add the selected certificate store(s) to your certificate selection and leave the search dialog open for further searches.

   • Include and Close

     Click this to close the search dialog and add the selected certificate store(s) to your certificate selection, which will then be displayed and ready for updates as per the instructions in Add to Certificate Stores.

   • Close

     Click this to cancel the operation and return to the main page with no certificate stores selected.

   

   Figure 44: Select Certificate Store Locations Dialog

   Add to Certificate Stores

   The Add to Certificate Stores page appears once you select at least one certificate store to distribute your certificate to. It includes a grid section with a series of tabs that display a tab for each type of certificate store selected with a list of the selected stores under each tab. The header section of the dialog shows global options that apply to the add job as a whole:

   • Include Certificate Stores

     You may return to the Select Certificate Store Locations dialog by clicking Include Certificate Stores above the grid. The current selections will be retained.

   • Schedule when to run the job for the certificate store

     In the Schedule dropdown, select a time at which the job to add the certificate to the stores should run. The choices are Immediate or Exactly Once at a specified date and time. If you choose Exactly Once, enter the date and time for the job. A job scheduled for Immediate running will run within a few minutes of saving the operation. The default is Immediate.

   • Include Private Key on Certificate Stores when the Private Key is optional

     Check the Include Private Key box if you want to deliver the private key of the certificate to any selected certificate stores that do not require a private key (e.g., Java keystores). This option only appears for certificates that have a private key available for distribution.

   • Apply Fields to All Stores

     Enable Apply Fields to All Stores to show extra fields—such as Overwrite, Alias, and any custom fields—below the store list. Data entered here will apply to all stores on the current tab.

     To enter data for each store individually, disable this option, then select a store and click Edit to open a dialog for store-specific fields.

     This setting is tab-specific, allowing different behavior for different types of certificate stores.

   Click Remove at the top of the grid to remove the selected certificate store from the page. The certificate will not be added to the store.

   For each selected certificate store you can apply the following actions:

   • Overwrite

     Check Overwrite below the grid to overwrite any existing certificate in the same location and with the same name or alias for the selected certificate store type.

   • Alias

     Add an Alias below the grid, if applicable, for the certificate store type. See the Information Required by Certificate Store section, below, for more information.

     The Alias field is a search select dropdown that lists all aliases associated with the selected certificate store.

     • If an alias appears in multiple certificate stores, the number of locations is shown in parentheses next to the alias name. This indicator does not appear if the alias exists in only one selected store.
     • Users can enter a new alias as long as Custom Aliases are not forbidden on the certificate store type Certificate Store Types.
     • If you select an existing alias without checking Overwrite, the Save will fail and the certificate store(s) in which that alias already exists will be listed.
     Note:  The field will display an alert if an alias is required for the location. If Supports Custom Alias is set to Forbidden on the certificate store type, the Alias field will not display unless Overwrite is checked on this page.

   

   Figure 45: Add Certificate—Install into Certificate Locations

   

   Figure 46: Alias Required Alert on Save

   Information Required by Certificate Stores

   Each type of certificate store has different requirements for providing an alias or other additional information. These are based on the configuration of the certificate store type.

   The certificate store type fields that are relevant to certificate store use are:

   • Supports Entry Password

     If your certificate store type has this enabled, you will have the option to enter a password for the certificate entry in the certificate store on the addition of an entry into the certificate store.

     

     Figure 47: Certificate Store Type Configuration: Basic Tab

   • Supports Custom Alias

     Certificate store types support three possible options for this setting:

     • Forbidden: The Alias field will not display when adding a certificate to a certificate store unless Overwrite is checked on the add page. In this case, you’re not associating an alias with the certificate you’re adding to the store but rather specifying the alias of the certificate already in the store that you wish to replace (in function) with the new certificate you’re adding.
     • Optional: This indicates an alias can be associated with the entry if desired.
     • Required: This indicates that a custom alias will be required when a certificate is added to a certificate store.

     The format of custom alias values varies depending on the certificate store type. In many cases, the alias is the thumbprint of the certificate. In some cases, it’s the file name of the certificate file or a custom alias provided at the time the certificate was added to the certificate store.

     Tip:  Keyfactor Command will automatically strip out any spaces between the octets in thumbprints in the alias field, so it does not matter whether you enter the thumbprint with or without spaces.

   • Entry Parameters

     Not all certificate store types will have entry parameters. The ones shown in Figure 48: Certificate Store Type Configuration: Entry Parameters Tab are for the custom Windows Certificate type for the Keyfactor custom-built IIS Certificate Store Manager extension (see Installing Custom-Built Extensions).

     

     Figure 48: Certificate Store Type Configuration: Entry Parameters Tab

4. Click Save to submit the certificate store additions.

The optional certificate owner is a security role defined in Keyfactor Command (see Security Roles and Claims).

Select one or more certificates in the results grid and then click Change Owner at the top of the grid to change or set the certificate owner.

The Change Certificate Owner dialog uses a search select dropdown. To narrow the list of results in a search select dropdown, begin typing in the input field. Matching results will appear as you type. The roles shown are filtered based on the acting user’s security configuration (see Certificates for more details).

The following permissions determine which roles the user can assign as certificate owner:

• Expanded Change Owner Permission: A user with the Certificates > Expanded Change Owner permission can the certificate owner to any role within the permission sets they belong to—even if they do not currently hold the role assigned as the certificate owner. This permission overrides the Certificates > Collections > Change Owner permission (both Global and Collection level) if both are set.

  Note:  To set the certificate owner using the Expanded Change Owner permission, the user must also have Security > Read permission in the permission set that contains the role being assigned as the new certificate owner.

• Collections > Change Owner Permission:

  This permission allows a user to the certificate owner to a role they personally hold—but only under the following conditions:

  • Global Level: The user can set or change the certificate owner for any certificate to a role they hold.
  • Collection Level: Change owner is not supported for collection-level permissions from this interface.

• Change Owner Permission Warning: If the acting user attempts to change a certificate owner but does not meet the necessary permissions, the system displays a warning with the thumbprints of the certificates they cannot modify. This occurs when:

  • The user does not hold the current certificate owner role, or

  • The user lacks Security > Read permission in the permission set that contains the current owner role, or

  • The user lacks Security > Read permission in the permission set that contains their own role(s).

  When this warning appears, none of the selected certificates are modified—even those the user would normally have access to.

Select one or more certificates in the results grid and then click Delete at the top of the grid or Delete in the right-click menu to remove the selected certificate(s) from the Keyfactor Command database. If the selected certificates have associated private keys stored in the database, these private keys are also removed. The certificates will be returned to the Keyfactor Command database on the next full synchronization if synchronization for the certificate source (certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA., SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. endpoint An endpoint is a URL that enables the API to gain access to resources on a server., etc.) is still configured. Certificate history and private keys do not return when certificates re-synchronize.

Whenever a certificate is deleted that is a part of a certificate renewal chain. The certificates on either end of the deleted cert(s) will have their certificate histories updated to show that either a certificate before or after the certificate was deleted in the renewal chain of that certificate.

Excluded certificates are certificates which have been removed from the main tables of the Keyfactor Command database and excluded from all Keyfactor Command functionality. These certificates will be skipped and not re-imported during a CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization or manual import.

Select one or more certificates in the certificate search results grid and then click Delete And Exclude in the right-click menu to remove the selected certificate(s) from the Keyfactor Command database and exclude them from being synchronized into Keyfactor Command in future synchronizations. If the selected certificates have associated private keys stored in the database, these private keys are also removed.

This option appears if the user has the Global Certificates > Collections > Delete And Exclude permissions. The Delete And Exclude option also appears for the specific certificate collection grid if the user has either the Global Delete and Exclude permission or the collection-level Delete and Exclude permission. Deleting a certificate from a collection will remove it from Keyfactor Command and all other collections, reports, and other locations it might appear. Deletion of a certificate from a collection for which a user has permission will also delete it from collections for which the user does not have permissions.

Whenever a certificate that is part of a certificate renewal chain is deleted, the certificates on either end of the deleted certificate will have their certificate histories updated. The update will reflect the deletion of the certificate in the renewal chain, showing either the certificate before or after the deleted certificate.

Excluded certificates will move to the Excluded Certificates grid found in the system settings menu (see Excluded Certificates).

This option is available only in saved collections, not in standard certificate searches. Click the Delete All action button at the top of the collection grid. The button appears active only if no certificates are selected on the grid. A large deletion may take several minutes to complete. The certificates will be returned to the Keyfactor Command database on the next full synchronization if synchronization for the certificate source (certificate authority, SSL endpoint, etc.) is still configured.

Click the Delete Private Key in the right-click menu to remove the private key of the selected certificate(s) from the Keyfactor Command database. This option is only available if the private key is stored in the database.

Click Downland in the right-click menu to download the selected certificate to the local computer with or without a private key. Only one certificate may be downloaded at a time.

You will be able to download a certificate including its private key if at least one of the following is true:

• The certificate has been stored in the Keyfactor Command database with its private key (see Private Key Retention).

• The certificate was issued using a template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. that had key archival enabled, issued from a Microsoft CA that has a valid Key Recovery Agent certificate, and that Key Recovery Agent certificate is configured on the Keyfactor Command server.

  Tip:  CA-level key recovery is supported for Microsoft CAs (either directly or with a CA Connector The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client) to allow recovery of private keys for certificates enrolled outside of Keyfactor Command. CA-level key archiving is not supported for enrollments done through Keyfactor Command. CA-level key recovery is not supported for Microsoft CAs when using Keyfactor Command installed in containers under Kubernetes or for EJBCA CAs. For enrollments done through Keyfactor Command for either Microsoft or EJBCA CAs, use Keyfactor Command private key retention (see Private Key Retention).

To download a certificate:

1. Highlight the row in the results grid and right-click.

2. Choose Download from the right-click menu, or the action button on the Certificate Details dialog.

   

   Figure 49: Certificate Operation: Download Certificate

3. In the Download dialog, choose a File Extension for the file name generated for the downloaded certificate. Available options will depend on whether the certificate has a stored private key and may include:

   .cer, .crt, .jks, .p12, .p7b, .pem, .pfx, or .zip

   The option you select here determines the formats that will be available in the File Format dropdown.

4. Choose an encoding File Format for the downloaded certificate. Available options will depend on the selected File Extension and may include:

   • DER (Binary): A DER A DER format certificate file is a DER-encoded binary certificate. It contains a single certificate and does not support storage of private keys. It sometimes has an extension of .der but is often seen with .cer or .crt. (Distinguished Encoding Rules) file is a binary format for encoding certificates or public keys, often used in environments that require strict format validation, such as Java or Windows.
   • JKS: A JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption. (Java KeyStore) file is a binary file format used by Java applications to store cryptographic keys, certificates, and certificate chains.
   • P7B: A P7B A PKCS #7 format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PKCS #7 certificates always begin and end with entries that look something like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. Unlike PEM files, PKCS #7 files can contain only a certificate and its certifiate chain but NOT its private key. Extensions of .p7b or .p7c are usually seen on certificate files of this format. (PKCS #7 A PKCS #7 format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PKCS #7 certificates always begin and end with entries that look something like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. Unlike PEM files, PKCS #7 files can contain only a certificate and its certifiate chain but NOT its private key. Extensions of .p7b or .p7c are usually seen on certificate files of this format.) file is a binary format used for storing certificates and certificate chains without private keys, commonly used in Windows for importing and exporting certificate chains.
   • PEM (Base 64): A PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. (Privacy-Enhanced Mail) file is a Base 64-encoded format used for encoding certificates, private keys, and other cryptographic data, commonly used in Unix-based systems.
   • PFX (PKCS #12 A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers.): A PFX (Personal Exchange Format) file is a binary format that combines a certificate and its private key, typically used for importing and exporting certificates on Windows systems.
   • ZIP PEM: A ZIP PEM A ZIP archive containing multiple PEM encoded certificates, which may include an end entity certificate, certificate chain, and private key. file is a compressed archive containing one or more PEM-encoded certificates or private keys, often used for bundling multiple certificate files together.

   The remainder of the fields on the dialog will vary depending on the file format selection made.

   Note:  Hybrid certificates A certificate that uses a non-PQC (Post-Quantum Cryptography) primary key paired with an alternative key algorithm such as ML-DSA-44, ML-DSA-65, or ML-DSA-87 for enhanced security and quantum resistance. with private keys support download file formats PEM and ZIP PEM. Other than this limitation, fully post-quantum certificates A certificate with a single, primary post-quantum key. (both with and without private key) and hybrid certificates without private key support all the download file formats.

   Table 13: Options by File Format

   	DER	JKS	P7B	PEM	PFX	ZIP PEM
   Include Private Key
   Custom Password
   Include Chain
   Chain Order
   Include Subject Header
   Custom Friendly Name
   Use Legacy Encryption
   Target CSP

   Table 14: Options by File Format Legend

   Indicator	Description
   	This option is not supported.
   	This option is supported.
   	This option is the default for this format and is not user configurable.

5. In the Private Key Options section of the page, select the Include Private Key option to include the private key of the certificate in the download. The Include Private Key option appears if the PEM File Format is selected.

   The default for the Include Private Key option is controlled by the Include Private Key By Default application setting. For more information about this application setting, see Application Settings: Enrollment Tab.

   Tip:  The private key is included by default for the JKS, PFX, and ZIP PEM formats so the Include Private Key option does not appear for these formats.
   Note:  If you choose a File Format of PEM with Include Private Key, JKS, PFX, or ZIP PEM and you have the Allow Custom Password application setting either disabled or enabled but you do not enable the Custom Password option on the download dialog (see Application Settings: Enrollment Tab), after you click Download (see, below), a PFX/PEM/JKS Password dialog will pop-up with the one-time password and action buttons to Copy Password or Close the pop-up. Clicking Copy Password will copy the password to the clipboard. As a security measure, the dialogue will close after 2 minutes. You will need this password in order to access the JKS, PEM, or PFX file generated by the download. Click Close to close the PFX/PEM/JKS Password dialog once you have copied the password.

   The auto-generated one-time password is affected by two application settings:

   • Only use Alphanumeric Characters

   • Password Length

   

   Figure 50: Certificate Operation: Password for Certificate with Private Key

   Important:  The randomly generated password cannot be regenerated, so it must be copied prior to closing the dialog.

6. If enabled, in the Private Key Options section of the page, enable the Use Custom Password option if desired and enter and confirm a custom password to use in securing the downloaded file.

   The Use Custom Password option appears if a File Format of JKS, PEM, PFX, or ZIP PEM is selected and if the Allow Custom Password application setting is enabled. The value in the Password Length field in application settings is shown for guidance when entering a password. For more information about both of these application settings, see Application Settings: Enrollment Tab.

7. In the Chain Options section of the page, enable the Include Chain option to include the certificate chain (root and intermediate certificates) in the download, if required. The Include Chain option appears if a File Format of JKS, PEM, PFX, or ZIP PEM is selected.

   The default for the Include Chain option is controlled by the Include Chain By Default application setting. For more information about this application setting, see Application Settings: Enrollment Tab.

   Tip:  The certificate chain is included automatically for certificates of format P7B so the Include Chain option does not appear for this format.
   Note:  In order for chain certificates to be included with end entity certificates for download, one of the following must be true:

   • All certificates in the chain must be in the Keyfactor Command database.

   • Each certificate in the chain must include an AIA The authority information access (AIA) is included in a certificate--if configured--and identifies a location from which the chain certificates for that certificate may be retrieved. (Authority Information Access The authority information access (AIA) is included in a certificate--if configured--and identifies a location from which the chain certificates for that certificate may be retrieved.) extension with an HTTP or HTTPS URL pointing to the issuer's certificate. These certificates must be accessible from the Keyfactor Command server. Only HTTP and HTTPS URLs are supported.

   • All certificates in the chain must be present in the Keyfactor Command server's local machine Trusted Root Certification Authorities and Intermediate Certification Authorities stores (Windows installations only).

8. If you enabled Include Chain, in the Chain Options section of the page, select a Chain Order for the certificates in the resulting output file—either End Entity First (at the beginning of the file) or Root First. The Chain Order option appears if a File Format of JKS, P7B, or PEM is selected.

   Tip:  PFX and ZIP PEM formats always include the end entity certificate first so the Chain Order option does not appear for these formats.
   Note:  The Include Chain option is not supported for post-quantum certificates.

9. In the Additional Options section of the page, enable the Include Subject Header option to cause the first line in the downloaded certificate to include the certificate subject. For example:

   #CN=appsrvr12.keyexample.com,OU=IT,O=KeyExample Inc,L=Oakville,ST=Illinois,C=US

   -----BEGIN CERTIFICATE-----

   [Certificate Contents]

   -----END CERTIFICATE-----

   When this option is disabled, the downloaded certificate file contains only the certificate and not the subject reference. The default is enabled. The Include Subject Header option appears if a File Format of PEM is selected.

   If both the Include Chain and the Include Subject Header options are enabled, the subjects will be included for both the end entity certificate and the chain certificates.

10. If enabled, in the Additional Options section of the page, in the Custom Friendly Name field add a friendly name for the downloaded certificate. The friendly name only exists on the downloaded version of the certificate and a different friendly name can be associated with the certificate on each download of it.

    The Custom Friendly Name option appears if a File Format of PFX is selected and if the Allow Custom Friendly Name application setting is enabled. This field is required if the Require Custom Friendly Name application setting is enabled. For more information about both of these application settings, see Application Settings: Enrollment Tab.

11. If enabled, in the Additional Options section of the page, enable the Use Legacy Encryption option to encrypt the downloaded file using the historical algorithm (3DES/SHA1/RC2). If this option is disabled, the newer algorithm set provided by Windows (AES256/SHA256/AES256) is used instead.

    The Use Legacy Encryption option appears if a File Format of PFX, PEM (Base64), or ZIP PEM is selected and if the Enable Legacy Encryption application setting is enabled. The behavior of this setting is affected by the Use Legacy Encryption By Default application setting. For more information about both of these application settings, see Application Settings: Enrollment Tab.

12. If enabled, in the Additional Options section of the page, in the Target CSP dropdown select a target CSP for the downloaded certificate if appropriate in your environment. This is not used in most environments.

    The Target CSP option appears if a File Format of PFX is selected and if the Allow Cryptographic Service Providers (CSPs) application setting is enabled. The CSPs that appear here are defined in the Cryptographic Service Providers (CSPs) application setting. For more information about both of these application settings, see Application Settings: Enrollment Tab.

13. Click Download to begin the download.

Tip:  The filename generated for the file for download is based on the CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). of the certificate and will either include or not include the periods from the CN based on the configuration of the Allow Periods in Certificate Filenames application setting (see Application Settings: Enrollment Tab).

Select one certificate in the results grid and then click Edit at the top of the grid, or Edit in the right-click menu, or double-click the row, to pop up the certificate details dialog box in which you can view details of the certificate data and edit owner and metadata fields for the certificate. Users without Edit Metadata permissions to certificates will see a Display option instead of an Edit option.

The certificate details dialog also includes buttons for the Download (see Download), Revoke (see Revoke), Renew (see Renew/Reissue), and Change Owner (see Change Owner) operations (as applicable) for users with appropriate permissions. You cannot change any of the certificate attributes from the Certificate Authority (shown on the Content tab) or any of the certificate status, validation, locations, or history data tracked by Keyfactor Command (shown on the Status, Validation, Locations and History tabs) other than the certificate owner modified with Change Owner.

For more information regarding the data displayed on the certificate details dialog, see Certificate Details.

If you select multiple certificates to edit at once, only the metadata fields dialog will appear. See Edit All.

Click Edit All at the top of the grid to open the metadata fields for all of the certificates in the query for editing. The button appears active only if no certificates are selected on the grid. All defined metadata fields—including those marked hidden—appear on the Edit All dialog. Each field includes an alert button that identifies whether the certificates in the query have all of same () or different () values for each metadata field. Click the alert button for an explanation of the impact the Overwrite settings for this field will have on the certificates.

See Metadata Tab for more detailed information about the certificate details metadata.

Click Allow Modifying to enable the field for editing. Editing a field and selecting Overwrite will change the value for all certificates. Editing this field and not selecting Overwrite will only change the value for certificates that do not already have a value defined for this field.

Email metadata fields will allow for multiple email addresses to be added via a pop-up text box where email addresses are entered separated by comma or semicolon. During entry the addresses will appear as a single row in the metadata grid. However, after saving each email address will be displayed on a separate row.

Click Get CSV from the top of the grid to download the certificates in the results grid to a comma-delimited CSV file. The button appears active only if no certificates are selected on the grid.

The CSV file will contain the following information for each exported certificate:

• Issued DN A distinguished name (DN) is the name that uniquely identifies an object in a directory. In the context of Keyfactor Command, this directory is generally Active Directory. A DN is made up of attribute=value pairs, separated by commas. Any of the attributes defined in the directory schema can be used to make up a DN.
• Import Date
• Effective Date
• Expiration Date
• Issued CN
• Certificate Authority Name
• Template Display Name
• Principal
• Requester
• Key Type The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519).
• Key Size The key size or key length is the number of bits in a key used by a cryptographic algorithm.
• Certificate State
• Thumbprint
• Serial Number

A confirmation dialog will pop up providing an approximate file size of the file that will be generated. A CSV file generated from a very large result set may take a long time to download or may be unwieldy to edit.

Click Identity Permissions in the right-click menu to view the certificate level permissions (read, edit metadata, download with private key, revoke, and delete) granted to all user roles defined in Keyfactor Command (see Security Roles and Claims) for the selected certificate.

Click Remove from Certificate Store in the right-click menu to remove the selected certificate from a certificate store or stores. Two dialog boxes will pop up as per Add to Certificate Store allowing you to select the certificate store(s) from which you wish to remove the certificate. In the first dialog, select the certificate store from which you want to remove the certificate and click the Include and Close button and then click Save in the second dialog. Only certificate stores that contain the certificate and to which the user has permissions will be shown.

Figure 56: Certificate Operation: Remove from Certificate Store

Click Renew in the right-click menu to renew or re-issue the selected certificate.

Certificate renewal is available if:

• For PFX, the certificate is located together with its private key in one or more managed certificate store(s), or the certificate was enrolled with an enrollment pattern that has been configured in Keyfactor Command to allow private keys to be encrypted and stored in the Keyfactor Command database (see Certificate Template Operations).
• Certificate renewal is only supported when attempting to renew the most recently issued certificate in a renewal chain. In other words, if a certificate has been renewed three times resulting in certificates 1, 2 and 3 (1 being the initially issued certificate and 3 being the most recently issued certificate), you can renew certificate 3 but not certificate 2 or 1. If a renewal request is denied because the certificate is not the latest, an error message will display with the thumbprint of the latest certificate in the renewal chain. The history tab (as well as the audit log) also shows the renewal chain.
• A renewal is not pending for the certificate. If a pending renewal is denied, the certificate will be available to renew again.
• The user has proper permissions (enrollment (PFX and/or CSR), collection, certificate owner role).
• The certificate is not a CA certificate.

The renew/reissue dialog includes the options:

• One-click renewal (the Continue option): Supports renewal with no further user interaction.

  To use One-Click Renewal for certificates, the Allow One-Click Renewals option must be enabled in both the certificate templates and CAs to which you want One-Click Renewal to apply (see Certificate Template Operations, HTTPS CAs - Advanced Tab or DCOM CAs - Advanced Tab ).

  When a certificate requires approval, a message will show after a successful one-click renewal: The certificate renewal has been completed successfully and is pending approval, otherwise, a success message will display.

  Note:  The Continue option is only supported if the user performing the renewal has permissions to enroll using the enrollment pattern, template, and CA associated with the original certificate.

• Configure with PFX option: Redirects to the PFX Enrollment page with the information for the certificate pre-populated in the enrollment fields.

  From the seeded PFX Enrollment page, you can change the CA or enrollment pattern for enrollment, change the subject information or metadata for the certificate, set or remove SANs, or change the certificate store(s) to which the renewed certificate will be distributed. To change the certificate store(s) for distribution, on the PFX Enrollment page, scroll down to the Certificate Delivery Format section and click the Include Certificate Stores button. This will open the Select Certificate Store Locations dialog. For more information, see Add to Certificate Store and PFX Enrollment.

• Configure with CSR option: Redirects the user to the CSR enrollment page with the following information pre-populated for the renewal (see CSR Enrollment):

  • The certificate metadata

  • The certificate enrollment pattern (if available)

  • The CA

  • The certificate SANs

  • The certificate role owner

    Note:  When renewing, if the Enable warning for CSR renewal with a Subject/SAN mismatch application setting is enabled, the CSR enrollment page will generate a warning on submission if the SANs/Subject are different from the SANs/Subject of the certificate that is being renewed.

    

    Figure 58: Certificate Operation: Renew Warning

Certificates issued by Microsoft CAs will be renewed (meaning the certificate will be issued with a new private key) regardless of how recently they were issued. Certificates issued by other certificate authorities will be renewed (with a new private key and a new expiration date) if they are within the renewal window specified by the certificate template, and re-issued (with a new private key and retaining the same expiration date) if they are not yet within the renewal window.

Select one or more certificates in the results grid and then click Revoke to revoke the selected certificate(s). When you select revoke, a dialog box pops up prompting for the effective revocation date, the reason for the revocation (for which there are dropdown choices), and comments (required). Click Save to execute, or Cancel. After executing a revoke, a confirmation dialog displays a messages and the options to proceed (OK) or Cancel.

Upon completion of the revocation, the CRL A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. for the CA in question is immediately republished to reflect the revocation. Unless you choose the revocation reason of Certificate Hold, there is no way to undo a revoke so care should be taken with this operation.

If you would like to suspend one or more certificates without permanently revoking them, select one or more certificates in the results grid and then click Revoke at the top of the grid or Revoke on the right-click menu. Select Certificate Hold as the revocation reason. You will be required to add a comment in the Comments field to Save the record change.

When you Revoke a certificate using the revocation reason of Certificate Hold, the certificate is in the revoked state, with the revocation reason of Certificate Hold. You will only be able to see the certificate on a certificate search with Include Revoked checked. To return the certificate to the Active state, Revoke it again with the reason Remove from Hold. You will be required to add a comment in the Comments field to Save the record change.