Acquire and Install a Chain Certificate

You will need the root and, if applicable, intermediate CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. certificates from your CA available to install in the Local Computer certificate store on the AnyCAGateway DCOM machine before you run the AnyCAGateway DCOM configuration. Many certificates vendors make these publicly available for download on their web sites.

Acquire the Chain Certificate(s)

If your CA uses client certificate authentication, you will need to install the full chain of certificates for the client certificate that you will be using. These may or may not be the same chain certificates you will choose to use when configuring the authorization section of the configuration file.

To determine a good choice of certificate chain to download, you can look at a certificate that has been issued by your CA to see the chain associated with it. To do this:

  1. Locate the certificate you want to review in a format without an associated private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. (e.g. a .cer/crt file) or installed in the Personal certificates store on Microsoft server.
  2. Double-click to open it.
  3. On the Certificate Path tab, look at the certificate chain certificates. Highlight each certificate in the chain and click View Certificate to open the chain certificate for viewing.

    Figure 725: View Chain Certificates

  4. If the chain certificate is one you want to use, you can download it directly from the certificate chain view on the Details tab. Click Copy to File... .

    Figure 726: Download Chain Certificate from Certificate View Dialog

Install the Chain Certificate(s)

The chain certificates need to be installed in the Intermediate Certification Authorities store (intermediate certificates) and Trusted Root Certification Authorities store (root certificates) of the Local Computer on the AnyCAGateway DCOM machine.

You can install the certificates either through the Certificates MMC or from the command line. To install the CA certificates in the Certificates MMC:

  1. On the AnyCAGateway DCOM server, do one of the following:

    • Using the GUI:
      1. Open an empty instance of the Microsoft Management Console (MMC).
      2. Choose File->Add/Remove Snap-in….
      3. In the Available snap-ins column, highlight Certificates and click Add.
      4. In the Certificates snap-in popup, choose the radio button for Computer account, click Next, accept the default of Local computer, and click Finish.
      5. Click OK to close the Add or Remove Snap-ins dialog.
    • Using the command line:
      1. Open a command prompt using the "Run as administrator" option.
      2. Within the command prompt type the following to open the certificates MMC:

        certlm.msc

  2. Drill down to the Trusted Root Certification Authorities or Intermediate Certification Authorities folder under Certificates for the Local Computer (as appropriate for the type of CA certificate you are installing), right-click, and choose All Tasks->Import….
  3. Follow the wizard, browsing to locate your CA certificate for import and selecting the defaults.

    Figure 727: Where to Put Root and Intermediate Certificates

To install the certificates from the command line, execute the following commands, where [Root CA filename.crt] is the name of your root CA certificate in the current directory and [Issuing CA filename.crt] is the name of your intermediate CA certificate in the current directory:

certutil -addstore Root ".\[Root CA filename.crt]"
certutil -addstore CA ".\[Issuing CA filename.crt]"

Retrieve the Certificate Thumbprint

You will need the thumbprint of either the root or intermediate CA certificate when you configure the gateway connection section of the gateway configuration file.

To find the thumbprint:

  1. Locate the CA chain certificate that you will reference from the gateway configuration. If you have an intermediate CA certificate, use this one.
  2. Double-click to open it.
  3. On the Details tab, scroll down to local the Thumbprint for the certificate. Copy this to a file to save it, being sure to avoid copying any leading or trailing spaces or unprintable characters.

Figure 728: Open the Chain Certificate and Retrieve the Thumbprint