Create or Identify Templates

The Keyfactor Cloud Gateway uses certificate templates stored in the local Active Directory that match certificate templates hosted in the managed forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. to support enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). for certificates from the managed CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA.. When you enroll for a certificate via the gateway, you make a request using the local Active Directory template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. and the corresponding managed forest certificate template is requested.

Templates are configured in the local environment and then are synchronized from the local environment to the managed environment. Templates for synchronization are selected in the gateway configuration wizard. Before you run the gateway configuration wizard, you need to create new or identify existing templates that will be synchronized to the managed environment.

Note: Some configuration settings made to local templates are not synchronized to the cloud environment exactly as configured. For example, templates configured with a Subject Name set to Build from this Active Directory information in the local environment will be switched to Supply in the request in the cloud environment. This is done to support enrollment using Active Directory information supplied from the local environment rather than the cloud environment.

Creating Local Templates

If you have a Microsoft enterprise CA, you can easily create these templates using the Microsoft CA certificate templates MMC snap-in. If you don’t have a Microsoft enterprise CA, you can install the Microsoft Remote Server Administration Tools (RSAT) for Windows (see Add Remote Server Administration Tools) and use the Certificate Templates tool within this to manage templates. When you open the Certificate Templates tool for the first time (you’ll need to open it manually in an MMC or from the command line—certtmpl.msc—it does not appear on the menu), you’ll be offered the option to add the default templates into Active Directory. Doing so will create the necessary starter templates to work from. You can also create the necessary starter templates from the command line using this command:

certutil -installdefaulttemplates

Figure 689: Install Default Certificate Templates in Environments without a Microsoft CA

Note: Keyfactor recommends using schema version 2 or later templates wherever possible.

Figure 690: Microsoft Template Schema Version

Template Attributes

The key attributes about templates that matter for the purposes of gateway enrollment are:

Key Type

Both RSA and ECC Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers. are supported.
Key Size

Microsoft CAs can be configured to issue certificates with key sizes as small as 1024; Keyfactor recommends using key sizes no smaller than 2048 (RSA) for best security practice.
Issuance Requirements: CA Manager Approval

Templates can be configured to support CA-level manager approval, allowing you to receive requests back as pending on templates submitted that have the “CA certificate manager approval" flag set. Manager approval for certificate requests based on policies configured in Keyfactor Command using workflows rather than at the CA level are configured entirely within Keyfactor Command and do not make use of the “CA certificate manager approval" flag.

Subject Name

The gateway supports both Supply in the request and Build from this Active Directory information. In the case of the latter, the Active Directory information is retrieved from the local forest, not the managed forest.

When a machine or user certificate is issued with a template that has either the User principal name (UPN) or Service principal name (SPN) SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. boxes checked, and the subject's account does not have a value for UserPrincipalName:
- If the account enrolling is a machine, the PrincipalName SAN will be set to samAccountName$@domain.fqdn.
- If the account enrolling is a user, the PrincipalName SAN will be set to samAccountName@domain.fqdn.
Issuance Requirements: Authorized Signatures

The gateway supports use of the This number of authorized signatures policy and accompanying settings in support of use of an enrollment agent certificate to enroll for certificates on behalf of another user (see Configure the Enrollment Agent Certificate (Optional)).

Template Permissions

The service account that the gateway is running as (by default, Network Service) needs read permissions on the templates that will be configured for enrollment from the local environment and users who will be enrolling need read and enroll permissions on these templates. The user completing the gateway installation needs read permissions on the templates from the local environment in order to complete the installation.

In a multi-domain environment, it's important to use the correct type of Active Directory group when assigning these permissions to allow permissions to be queried across domain boundaries. For more information about types of Active Directory groups, see:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755692(v=ws.10)

The templates mapped to local templates must have CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment enabled in their default enrollment pattern. Permissions also need to be granted in Keyfactor Command for the gateway service account .

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: