The Keyfactor Cloud Gateway provides the option to use an enrollment
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). agent certificate for two purposes:
- CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. Validation
When configured in this way, the Keyfactor Gateway Receiver uses the enrollment agent certificate to sign certificate signing requests (CSRs) generated on the gateway before they are sent to the Keyfactor Gateway Receiver for certificate issuance. This is done to verify that the CSR has originated from the trusted Keyfactor Cloud Gateway (the gateway is who it says it is) before issuing the certificate. Although this feature is optional, Keyfactor encourages you to make use of it for added security.
- Enroll on behalf of
(EOBO A user with an enrollment agent certificate can enroll for a certificate on behalf of another user. This is often used when provisioning technology such as smart cards.)
When configured in this way, the Keyfactor Cloud Gateway allows a user with an enrollment agent certificate to enroll for a certificate on behalf of another user—so John requests a certificate for Martha. This type of functionality is often used when provisioning smart cards or similar technology.
You may implement either one or both. They are not dependent on one another. The same certificate may be used for both, if desired. If you plan to use CSR validation, you will need a certificate in place before beginning the gateway configuration (see Create the Enrollment Agent Certificate Request). If you plan to use EOBO only, you may wait to acquire your certificate until after the initial gateway configuration is complete (see Configure a Certificate for Enroll on Behalf of (Optional)).
If you plan to implement clustering and wish to implement CSR validation, you will need to acquire the enrollment agent certificate on one gateway node and then export it as a PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers., securely copy it to the other gateway nodes, and import and set the private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. permissions for it in the same fashion as for the gateway encryption certificate (see Acquire and Distribute a Gateway Encryption Certificate).
Was this page helpful? Provide Feedback