The Keyfactor CA Connector
The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. requires the use of HTTPS to secure the channel between each CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Connector Client and Keyfactor Command and well as, in many cases, between each CA Connector Client and the OAuth provider for the authentication token. For Keyfactor Command, this requires an SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificate configured in IIS on the Keyfactor Command server(s). This certificate can either be a publicly-rooted certificate (e.g. from DigiCert, Entrust, etc.), or one issued from a private certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. (CA). If your Keyfactor Command server is using a publicly rooted certificate, the CA Connector Client server may already trust the certificate root for this certificate. However, if you have opted to use an internally-generated certificate, your CA Connector Client server may not trust this certificate. In order to use HTTPS for communications between the CA Connector Client and the Keyfactor Command server with a certificate generated from a private CA, you may need to import the certificate chain for the certificate into either the local machine certificate store on the CA Connector Client server on Windows or the root certificate store on Linux.
For EJBCA CAs, the CA Connector Client also needs to trust the CA certificate chain that issued the certificate used to provide a secure communication channel to your EJBCA instance. If this is a different certificate chain than that providing the SSL certificate for the Keyfactor Command server, this certificate chain will also need to be imported into root certificate store.
Installations on Windows
If the public key infrastructure A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. (PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.) that issued the certificate has only a root CA, the root certificate from this CA must be installed in the Trusted Root Certification Authorities store under Local Computer on the CA Connector Client server. If the PKI that issued the certificate has both a root and issuing CA, the root certificate must be installed in the Trusted Root Certification Authorities store under Local Computer on the CA Connector Client server and the issuing CA certificate must be installed in the Intermediate Certification Authorities store under Local Computer on the CA Connector Client server.
Installations on Linux
The location of the OpenSSL trusted root store varies depending on your Linux implementation. The root certificate must be installed in the appropriate location for the operating system before beginning the installation.
Was this page helpful? Provide Feedback