Certificate Authorities

To add or edit a certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA.:

1. Navigate to the AnyCAGateway REST portal (see Working with the AnyCAGateway REST Portal).
2. Select the Certificate Authorities tab.
3. Select Add from the top menu bar, or highlight an existing CA and select Edit from the menu bar or the right click menu.
4. Populate the certificate authority per the instructions for each tab below.
5. Save.

The Basic Tab

• Enter the Logical Name for the CA. This can be any name you choose. This will be used as the logical name The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two). of the CA in Keyfactor Command (see Configuring the AnyCAGateway REST with Keyfactor Command).

• Choose the Sync Settings intervals for full and incremental synchronizations between the gateway and the third-party CA. The synchronization between Keyfactor Command and the gateway is configured in Keyfactor Command.

  Important:  If you plan to use the gateway with Keyfactor Command, do not configure the synchronization to the third-party CA until you have completed configuration of the certificate profiles (see Certificate Profiles) and updated the Templates tab in the CA record with the profile to product ID mapping (see The Templates Tab). This profile to product ID information must be in place before the synchronization to the third-party CA occurs in order for the correct profiles to be mapped to the products when the certificates are stored in the gateway database. Keyfactor Command pulls from this data when synchronizing certificates into the Keyfactor Command database. If the mapping is not in place before both synchronizations take place, correct template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. information for existing certificates will be missing from Keyfactor Command.
• The Ignore Failure Count defines how many synchronization failures can occur in a single synchronization before the synchronization stops trying. The default is 5.

• The AnyGateway The Keyfactor AnyGateway is a generic third party CA gateway framework that allows existing CA gateways and custom CA connections to share the same overall product framework. REST supports the option to age out certificates with the Certificate Pruning setting. The default on this setting is Disabled. To enable certificate pruning, select either FromIssuance or FromExpiration from the dropdown. If Certificate Pruning is enabled, Age Out Days is required and this must be an integer greater than or equal to 0. Age Out Scan can be left as off, or a schedule can be set up—schedule options are Interval, Daily, Weekly or Monthly. If certificate pruning is set to Disabled, no pruning occurs.

  Note:  If certificate pruning is set to FromIssuance or FromExpiration and the Age Out Scan is set to Off, certificates that meet the age-out criteria will be skipped during a synchronization. If there is a schedule configured for the scan, a job will be created to prune the certificates from the database based on the FromIssuance/FromExpiration and Age-Out Days settings. If the value is FromIssuance, the skip/pruning job will skip/remove certificate records whose issuance dates are older than the current date/time minus a number of days equal to Age Out Days. If the certificate record does not include an issuance date (e.g. a pending request), then it is ignored. If certificate pruning is set to FromExpiration, the same logic is applied to certificates according to their expiration date.

  

  Figure 758: AnyCA Gateway Add CA: Basic Tab

The Templates Tab

The Gateway Registration Tab

On the Gateway Registration tab you configure the root or issuing CA certificate for the third-party CA that you identified during preparation (see Third-Party CA Certificate(s)). Ideally, the issuing CA certificate should be used. If you have more than one issuing CA certificate associated with certificates issued by your third-party CA, you will need to create separate CA records for each.

• In the Certificate Type dropdown, select either Certificate Store or File Path to specify the certificate location, and fill in the details as required by the type selected.

  • The File Path option requires the file path. This path is relative to the gateway server, so must be reachable by the gateway server.

  • The Certificate Store option requires Store Name (e.g. CA for the intermediate certificate store), Store Location (e.g. LocalMachine), and Thumbprint.

    

    

    Figure 761: AnyCA Gateway Add CA: Gateway Registration Tab - File Path vs Certificate Store

The CA Connection Tab

• The CA Connection tab requires different information for each third-party or custom gateway that integrates with the AnyCA Gateway. The properties required and values accepted are defined by the integration and configured here from the integration artifact. Complete as per the instructions provided by the third-party integration.

  Note:   For each additional CA added to the AnyCA Gateway implementation, you must have unique CA connection information from your third-party CA.
  Important:  Any security sensitive information will be masked in the portal.

  

  Figure 762: AnyCA Gateway Add CA: CA Connection Tab GoDaddy Example

• Click Save.

1. Navigate to the AnyCAGateway REST portal.
2. Select the Certificate Authorities Tab.
3. Highlight an existing CA and select Delete from the menu bar or the right click menu.
4. Click OK.