Configuring the AnyCAGateway REST with Keyfactor Command

1. In the Keyfactor Command Management Portal, browse to Locations > Certificate Authorities.
2. On the Certificate Authorities page, select the Certificate Authorities tab, and click Add.
3. At the top of the dialog, choose HTTPS in the Select CA Communication Protocol dropdown.
4. Complete the Certificate Authorities dialog following the guidance below and click Save and Test to save the CA. For more information about certificate authorities, see Adding or Modifying an HTTPS CA.

Certificate Authority Basic Tab

• Logical Name—The logical name The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two)., exactly as entered in AnyCAGateway REST portal (see The Basic Tab). The logical name is unique for each CA.

• Host URL—The fully qualified domain name of the server on which the gateway is installed and the port number defined with the -ServerPort parameter A parameter or argument is a value that is passed into a function in an application. (see -Server Port. For example, CAGateway24.keyexample.com:8443. The Host URL is unique for each CA.

  Note:  When adding an IIS Hosted CA to Keyfactor Command this setting is different. See Adding an IIS Hosted CA to Keyfactor Command for more information.
  Tip:  If you are upgrading an existing CA, and installing the AnyCAGateway REST on the same server, the hostname The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername)./logical name combination must be different from the existing CA in Keyfactor Command. To make it different from the existing CA, you may add https:// to the front of the FQDN or the :{port number} to the end.

• Configuration Tenant—Any name you want to use to identify the configuration tenant A grouping of CAs. The Microsoft concept of forests is not used in EJBCA so to accommodate the new EJBCA functionality, and to avoid confusion, the term forest needed to be renamed. The new name is configuration tenant. For EJBCA, there would be one configuration tenant per EJBCA server install. For Microsoft, there would be one per forest. Note that configuration tenants cannot be mixed, so Microsoft and EJBCA cannot exist on the same configuration tenant. for this CA.

• Create new End Entity when renewing or reissuing certificates must be enabled. This is required.

• Configure the Scan sync sections as desired. This is the sync between Keyfactor Command and AnyCAGateway REST.

Certificate Authority Advanced Tab

• Configure the Enrollment section, ensuring as least one form of enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). is enabled to allow Keyfactor Command to use the gateway for enrollment.

• The Restrict Allowed Requesters toggle will be enabled and uneditable. Add at least one role to the Allowed Requester Security Roles grid to enable access to the CA, by selecting Add, choosing a role from the drop down, and clicking Save.

Certificate Authority Authentication Methods Tab

• Select the authentication method you configured for the AnyCAGateway REST in the Auth Method dropdown. The authentication method you select here must match the authentication method that the gateway has been configured with—you cannot configure the gateway with OAuth and then use a client authentication certificate to access it from Keyfactor Command, for example.

• If you selected OAuth, enter the following information:

  • Client Id

    The client you created in your OAuth identity provider to authenticate to the gateway and then added as a claim in the AnyCAGateway REST portal. See Claims.

  • Token URL

    Set this to the URL of the token endpoint An endpoint is a URL that enables the API to gain access to resources on a server. for your OAuth identity provider.

  • Client Secret

    The secret of the client you created in your OAuth identity provider to authenticate to the gateway. The secret may be stored as a Keyfactor secret or using PAM. For more information, see Adding or Modifying an HTTPS CA.

  • Scope

    One or more scopes that should be included in token requests delivered to your OAuth identity provider.

    Important:  If you configure the Disable Bearer Token Scope Requirement option to false, you must either configure the client you’re using to connect from Keyfactor Command to the gateway to always include the scope keyfactor-anyca-gateway in the token or you must configure the keyfactor-anyca-gateway scope on the authentication methods tab when configuring the CA record in Keyfactor Command. Your OAuth identity provider needs to be configured to recognize keyfactor-anyca-gateway as a scope.

  • Audience

    Specify an audience value to be included in token requests delivered to your OAuth identity provider.

• If you selected Client Certificate, click Select Authentication Certificate. Upload—in PKCS#12 A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. format—either the superadmin certificate or the certificate you created in the AnyCAGateway REST portal as a user account for the Keyfactor Command user (see Claims) and enter the password.

  Tip:  Using a dedicated user certificate is preferable to using the superadmin certificate, as Keyfactor Command only needs user access to the AnyCAGateway REST.

Once the AnyCAGateway REST CA has been added to Keyfactor Command, you must import the templates.

1. In the Keyfactor Command Management Portal, browse to Locations > Templates.
2. On the Templates page, click Import, and select the configuration tenant from the drop down, defined when you added the CA.

3. Once the templates have been imported, configure each one to work with Keyfactor Command as required. Besides any implementation-specific settings you may want to adjust, include:

   • Settings on the Details tab: Select at least one of the Allowed Enrollment Types to support enrollment.

   • Because the AnyCAGateway REST is added into Keyfactor Command as an HTTPS CA, you must enable Restrict Allowed Requesters and add at least one user to the Authorization Methods tab.