Import the Enrollment Agent Certificate

This step only needs to be completed if you're using an enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). agent certificate for CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. validation (see Configure the Enrollment Agent Certificate (Optional)). If you're planning to use an enrollment agent certificate for use with enroll on behalf of functionality, you can wait to enroll for this until your gateway is fully installed and then enroll for through your gateway (see Configure a Certificate for Enroll on Behalf of (Optional)).

The user completing this step needs to be a member of the machine local administrators group.

Important:  The certificate must be imported on the same machine on which the CSR was generated to assure that the private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. for the certificate is correctly married with the certificate.

To import the enrollment agent certificate on the Keyfactor Cloud Gateway machine:

  1. Open the Certificates MMC Snap-In for the Local Computer store on the gateway machine. One way to do this is to open an administrative command prompt and execute the following command:

    certlm.msc

  2. Right-click on the Personal folder under Certificates (Local Computer) and choose All Tasks->Import.
  3. In the Certificate Import Wizard on the Welcome page, click Next.
  4. On the File to Import page, click Browse... and locate the certificate file you generated in the managed forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. (see Create the Enrollment Agent Certificate Request). Click Next.
  5. On the Certificate Store page, select Place all certificates in the following store and confirm that the Personal store is shown. Click Next.
  6. On the final screen of the wizard, click Finish.