Install a Client Authentication Certificate

On the server that will host the Keyfactor AnyCA Gateway DCOM, you may need a client authentication certificate from your CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. to provide authentication from the AnyCAGateway DCOM if your CA relies on client certificates for authentication.

The certificate needs to be installed in the Local Computer certificate store on the AnyCAGateway DCOM machine before you run the AnyCAGateway DCOM configuration. You may need the thumbprint of this certificate to enter during configuration.

To import the client authentication certificate on the AnyCAGateway DCOM machine:

  1. Open the Certificates MMC Snap-In for the Local Computer store on the gateway machine. One way to do this is to open an administrative command prompt and execute the following command:

    certlm.msc

  2. Right-click on the Personal folder under Certificates (Local Computer) and choose All Tasks->Import.
  3. In the Certificate Import Wizard on the Welcome page, click Next.
  4. On the File to Import page, click Browse... and locate the certificate file provided to you by your CA. Click Next.
  5. On the Certificate Store page, select Automatically select the certificate store based on the type of certificate and confirm that the Personal store is shown. Click Next.
    Tip:  Choosing “Automatically select the certificate store based on the type of certificate” instead of “Place all certificates in the following store” allows any chain certificates included in the certificate bundle to be installed in the correct location(s) rather than being incorrectly placed into the Personal store along with the client authentication certificate.
  6. On the final screen of the wizard, click Finish.
  7. When the import completes, locate the certificate in the Personal store (you may need to refresh), highlight it, and choose All Tasks->Manage Private Keys….
  8. In the Permissions for private keys dialog, click Add, add Network Service or the Active Directory service account the gateway service will run as if you've opted to override the default, and grant it Read but not Full control permissions. Click OK to save.
Tip:  If you are using clustering, the certificate needs to be installed on every node of the cluster.
Note:   Customers whose Keyfactor Command server has restricted access to the internet should either manually add the necessary intermediate certs to the intermediate CA's store on the Keyfactor Command server, or allow the Keyfactor Command server access to the gateway server AIAClosed The authority information access (AIA) is included in a certificate--if configured--and identifies a location from which the chain certificates for that certificate may be retrieved. endpoints, to avoid getting chain-building errors.