Upgrading from the Remote CA Gateway v24.1 or Earlier

The Remote CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Gateway solution, which was the previous iteration of the CA Connector The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client, did not connect directly to Keyfactor Command. Instead, it contained both the on-premises connector component and a couple of cloud-based components:

• The Keyfactor Remote CA Gateway Connector (the equivalent of the CA Connector Client) and a connector extension to allow communication with a specific type of CA (e.g. Microsoft), which are installed in the on-premises forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. to provide a connection to an on-premises CA.

• The Keyfactor Remote CA Service, which is Azure-hosted and managed by Keyfactor. The service receives the connection from the connector and brokers it to Keyfactor Command.

• The Keyfactor Remote CA Configuration Portal, which is Azure-hosted and managed by Keyfactor. The portal is used to configure the gateway connectors and CAs that will be made available to Keyfactor Command.

If you’re upgrading from a version of the Remote CA Gateway solution that uses this model to the CA Connector Client, you will need to install a separate instance of the connector (rather than doing an in-place upgrade) and then migrate any configuration.

Upgrade as follows:

1. Install the CA Connector Management components as per Install Keyfactor Command on a Windows Server Under IIS or Install Keyfactor Command in Containers Under Kubernetes. This includes installing an instance of RabbitMQ. If you’re using managed instance of Keyfactor Command, this will be completed for you.
2. Configure one or more CA connectors in the Keyfactor Command Management Portal as needed (see Adding or Editing a CA Connector).
3. Install the CA Connector Client as per the installation instructions in this guide (see Installing) and confirm that the CA Connector Client appears as connected in the Keyfactor Command Management Portal.
4. On Remote CA Gateway machine that’s being replaced, turn off the Keyfactor Gateway Connector service.

5. Contact Keyfactor support to carry out this step in the managed environment:

   Turn off the service for the Keyfactor Remote CA Service (based on the AnyCAGateway DCOM).
6. In the Remote CA Configuration Portal, disable the certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization for the CA that will be using the new connector.

7. Contact Keyfactor support to carry out this step in the managed environment:

   Run the usp_DisassociateCA stored procedure available in SQL for your database using the CA ID of the CA that will be using the new connector.
8. In the Keyfactor Command Management Portal, delete the existing CA record for the CA that will be using the new connector.
9. In the Keyfactor Command Management Portal, create a new CA record for the CA that will be using the new connector, but do not configure synchronization (see Adding or Modifying a DCOM CA).

10. In the Keyfactor Command Management Portal, import the templates from the on-premises environment (see Importing Certificate Templates).

    Important:  This step must be completed before a synchronization of certificates is done to assure that synchronized certificates are associated with the correct templates.
11. In the Keyfactor Command Management Portal, return to the new CA record and configure synchronization, enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). and any other desired settings.
12. In the Keyfactor Command Management Portal, configure enrollment permissions appropriately for the new CA and templates as needed.
13. In the Keyfactor Command Management Portal, configure alerts as needed for the new CA and templates to replace any existing alerts.