The Keyfactor AnyCA Gateway REST solution simplifies managing multiple third-party certificate authorities (CAs) by unifying API
An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. and communication requirements into a single, intuitive interface. It enables seamless integration of third-party CAs with Keyfactor Command, offering a scalable and modern alternative to the legacy AnyCAGateway DCOM architecture.
Key Benefits:
-
Simplified integration of third-party CAs using a unified interface.
-
Scalability: Manage multiple CAs of the same or different types on a single server.
-
High availability with configurable lockout settings during CA
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization. -
Dedicated management portal for configuring the gateway.
-
Compatibility with modern authentication methods (OAuth 2.0, client certificates).
For organizations using Keyfactor Command version 11 or above, the AnyCAGateway REST enables streamlined certificate lifecycle management and improved integration workflows. Upgrades from AnyCAGateway DCOM (version 20.7 or later) are also supported.
Architecture
The AnyCAGateway REST introduces a major architectural change by being configured as an HTTPS CA in Keyfactor Command, replacing the DCOM-based configuration used in the earlier AnyCAGateway DCOM. This shift simplifies integration and aligns with modern communication standards. Consequently, third-party CA integrations available on Keyfactor’s GitHub repository have been updated to support the new REST-based architecture.
Depending on the specific implementation, the gateway supports certificate functions such as:
- Role based certificate management
- Certificate enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). and revocation
- Certificate chain retrieval—Retrieve full certificate chain for easy installation
- Certificate inventory view—Comprehensive retrieval and querying of existing certificate information
- Certificate authorization management
- Certificate renewal—Renew a certificate approaching expiration
Authentication
The AnyCAGateway REST uses authentication to:
-
Enable user access to the gateway portal for configuration.
-
Allow users and services to integrate with the gateway for certificate enrollment and revocation.
-
Facilitate Keyfactor Command's interaction with the gateway to manage certificate enrollment, revocation, and synchronization with third-party CAs.
The gateway supports using either client certificates or OAuth 2.0 OpenID Connect (OIDC) for authentication. Only one authentication method is supported at a time for a given instance of the AnyCAGateway REST.
Integrations
The documentation in this guide focuses on a generic gateway. Integrations for common third-party gateways are publicly available on the Keyfactor GitHub:
As individual third-party CA connections are developed, they will each have their own plug-in, but the installation, configuration, and management process will be very similar across all third-party CAs, as described in this guide; this is a key benefit of the Keyfactor AnyCA Gateway REST. Contact support@keyfactor.com for more information about the tools necessary to build your own gateway.
As additional third-party CA connections are developed, each will include its own plug-in. However, the installation, configuration, and management processes remain consistent across all third-party CAs, as outlined in this guide—a key advantage of the Keyfactor AnyCA Gateway REST.