December 2023
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Policy Module on one or more certificate authorities, you may have been advised in the past to implement a workaround to resolve an error similar to the following:
The workaround involved creating files CertSrv.exe.config and MMC.exe.config in C:\Windows\System32 on any certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. on which you encountered this issue.
With the release of version 11.0 of Keyfactor Command, this workaround needs to be reversed. If the workaround is not reversed, you will encounter errors such as the following on enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). attempts:
To reverse the workaround, on the affected certificate authority:
Rename C:\Windows\System32\CertSrv.exe.config to an alternate name or remove it from the System32 directory.
Rename C:\Windows\System32\MMC.exe.config to an alternate name or remove it from the System32 directory.
Restart the CA services.
Confirm that certificate enrollment is working as desired and that the policy handler(s) in place are working as desired.
New Features
- Keyfactor Command now supports any open authorization (OAuth) 2.0 compliant identity provider with a complete implementation of the OpenID Connect (OIDC) protocol. Keyfactor Command has been tested with the following identity providers:
Active Directory
Microsoft’s Active Directory has historically been the only identity provider supported by Keyfactor Command. With Active Directory, you can authenticate users defined in the Active Directory forest
An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. to which the Keyfactor Command server is joined and users from forests in a trust with this forest using integrated Windows authentication. Users may alternatively be authenticated to Keyfactor Command using Basic authentication when you opt for Active Directory as your identity provider. Active Directory supports user, group and computer accounts.Keyfactor Identity Provider
Keyfactor Identity Provider is a lightweight application that is easily installed in the same environment as Keyfactor Command to provide standalone authentication separate from Active Directory. It may be used directly to supply authentication or it may be used to federate authentication to another OAuth 2.0 compliant identity provider (e.g. Okta, Ping Identity). Keyfactor Identity Provider runs in a Linux-based Docker container. Keyfactor Identity Provider supports users and groups.
Auth0
Auth0 is a cloud-based OAuth 2.0 compliant identity and access management (IAM) solution owned by Okta.
A given Keyfactor Command server may be configured with only one identity provider. If desired, you may configure an environment with multiple Keyfactor Command servers and configure a different identity provider for each Keyfactor Command server.
Updates and Fixes
-
Update: Do not display mini table of contents and navigation buttons in product documentation when the browser is narrower than 880 pixels.
-
Update: PFX
A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. certificate download includes the option to manually set the password. -
Update: New optional fields for scope and audience are added to the OAuth REST workflow
A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. step. When requesting a token during the OAuth REST workflow step, the scope and audience values configured in the step are used if provided. -
Update: New scope and audience configuration parameters can be defined in the OAuth Universal Orchestrator
Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. appsettings.json configuration file. -
Update: The colors and fonts on the Management Portal have been changed to match the new Keyfactor branding, including hovers, highlights and buttons changes.
-
Update: The identity provider hint application setting that was previously deprecated has been removed.
-
Fix: Cannot query individual certificate in a collection
The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). with no global permissions. -
Fix: The TOC button in the product documentation did not work in smaller browser sizes.
-
Fix: Separate users for application pools resulted in a dashboard and reporting error.
-
Fix: Cannot change orchestrator associated with a certificate store.
-
Fix: Workflow enters/leaves collection timer job caused high SQL load.
-
Fix: A known issue of CA synchronization using an orchestrator with an invalid CSR
A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. causing the synchronization to stop has been fixed. Instead of throwing an exception, such errors will log a warning message, and the record will be skipped. -
Fix: Certificate store reenrollment error when selecting a template
A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. from a separate tenant. Now, the template dropdown will be filtered to only display the templates associated with the selected certificate authority and based on the CSR Enrollment enabled flag on the templates. - Fix: Enrollment/PFX, 400 is not returned when a Custom Friendly Name is provided with a PFX enrollment, but the application setting is not enabled.
Deprecation
- The Classic API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. was deprecated in Keyfactor Command version 11.0. All existing uses of the Classic API should be migrated to use Keyfactor API prior to upgrading to Keyfactor Command version 11+. If these applications cannot be updated to the newer endpoints then the Allow Deprecate API Calls setting must be set to False (see Application Settings: API Tab). Otherwise, Keyfactor recommends that these endpoints be disabled to reduce exposure to unauthorized or unintended use.
-
The Keyfactor Java Agent
The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. will be deprecated in a future version of Keyfactor Command. Customers are encouraged to begin planning a migration to the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. with the Remote File custom extension publicly available at:
Known Issues
-
Keyfactor API requests that feature a query in the URL of type QueryString, such as the following example, will only function with the parameter
A parameter or argument is a value that is passed into a function in an application. QueryString. In versions of the Keyfactor API prior to 11.0, either QueryString or Query was supported. This will be corrected in a future release.https://keyfactor.keyexample.com/KeyfactorAPI/Certificates?IncludeRevoked=true&QueryString=CN%20-startswith%20%22test%22&collectionId=0&includeLocations=false&includeMetadata=false&includeHasPrivateKey=false&verbose=0 - .NET Decryption error with separate pool accounts or non-domain joined installation when using application-level encryption. The solution is to use a KSP key or manually set private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. permissions for all application pool users on the encryption certificate (see Cryptographic Provider).
API Endpoint Change Log
Please review the information in the API Change Log for this release carefully if you have implemented any integration using these endpoints: