You will need a root or intermediate CA
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. certificate from the managed CA available to install in the Local Computer certificate store on the gateway machine before you run the gateway configuration wizard. You will select this certificate when you configure authorization for the gateway. Acquire the intermediate (preferably) or root certificate for the managed CA.
Root and intermediate certificates will be provided to you by your Keyfactor representative. You should install both certificates, although you will only select one in the configuration wizard (the intermediate). The root certificate should be installed in theTrusted Root Certification Authorities store of the Local Computer on the gateway machine using the Certificates MMC Snap-In and the intermediate certificate should be installed in the Intermediate Certification Authority store of the Local Computer on the gateway machine. If desired, you can add these trusts into the AIA The authority information access (AIA) is included in a certificate--if configured--and identifies a location from which the chain certificates for that certificate may be retrieved. and, in the case of the root, Certification Authority containers in Active Directory (e.g. CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).=AIA,CN=Public Key In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. Services,CN=Services,CN=Configuration,DC=keyexample,DC=com), to be distributed to all domain-joined computers, from an administrative command prompt using the following commands in the directory where you copied the files:
If you have only a root CA certificate, it will need to be placed in the Intermediate Certification Authorities store as well as the Trusted Root Certification Authorities store.
If you plan to use the enroll on behalf of feature with an enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). agent certificate (see Configure the Enrollment Agent Certificate (Optional)), you may also need to add the intermediate CA certificate into the NTAuthCertificates object in Active Directory, depending on how you plan to enroll. The “Enroll on behalf of” option in the local user certificates snap-in requires this. This can be done from an administrative command prompt using the following commands in the directory where you copied the file:
After making any chain certificate updates to Active Directory, you will need to run a gpupdate from the gateway server and any server from which you will be using enrollment agent enroll on behalf of functionality.
You can use the following command within an administrative command prompt to open the Certificates MMC Snap-In for the Local Computer:
Was this page helpful? Provide Feedback