Architecture

The Keyfactor Windows Enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). Gateway is installed on-premise to support enrollment for certificates from a managed instance of Keyfactor Command and managed EJBCA CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA.. To enrolling clients, the gateway emulates a Microsoft CA. The enrolling client sends an enrollment request to the gateway as a DCOM enrollment request. The gateway then sends the enrollment request to the managed instance of Keyfactor Command (using the CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment method), which sends the request to the managed EJBCA CA as an HTTP request. Enrollments of these types are supported:

• Manual enrollment where the subject is supplied in the request.

• Manual enrollment where the subject is built from the local (on-premise) Active Directory.

• Auto-enrollment

Optionally, synchronization of user and group data from the local Active Directory to the managed Active Directory can be configured to support federated single-signon to the managed instance of Keyfactor Command using Active Directory Federation Services. Account synchronization is not supported with OAuth authentication to Keyfactor Command.