Start the Gateway Services

The CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. gateway service runs on the Keyfactor Windows EnrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). Gateway server and manages communications between clients in the local environment and the Keyfactor Gateway Receiver and managed instance of Keyfactor Command for certificate synchronization and enrollment. At the conclusion of the configuration for the gateway, the main gateway service should start automatically. If you need to stop or restart the service:

  1. On the Keyfactor Windows Enrollment Gateway server, open the Services MMC.

  2. In the Services MMC confirm that the CA gateway service is set to a Startup Type of Automatic (if desired). If the service is not running, click the green arrow to start it. The service name for the main gateway service is:

    Keyfactor Windows Enrollment Gateway

    In addition to the main gateway service, you will also see the Keyfactor Managed CA Sync Service. This service should only be started if you have opted to configure account (user and group) synchronization (see Create or Identify Accounts for Synchronization (Optional)).

    Note:  Account synchronization is not supported if OAuth is used as the authentication option to connect to the managed instance of Keyfactor Command.
Tip:  The gateway services are installed to run as Network Service. If you need to run the services as an alternate service account, update the service account as follows:

  1. Open a command prompt using the “Run as administrator” option.

  2. In the command prompt, type the following to unmap 8051 from Network Service so that you may add your custom service account:

    netsh http delete urlacl url=http://+:8051/
    netsh http add urlacl url=http://+:8051/ user="KEYEXAMPLE\svc_kyfgateway"

  3. Open the Registry Editor:

    regedit

  4. Navigate to:

    HKEY_LOCAL_MACHINE\SOFTWARE\Keyfactor\Keyfactor CA Gateway

  5. Right-click on Keyfactor CA Gateway and choose Permissions... .

  6. Add the service account user you referenced in step 2, and grant the user Full Control permission.

  7. Open the Services MMC.

  8. In the Services MMC, locate the gateway service:

    Keyfactor Windows Enrollment Gateway

  9. Right-click the gateway service name and select Properties.

  10. In the Properties dialog on the Log On tab, Browse to locate the service account you referenced in step 2, enter the password for the service account, and click OK.

    Note:  You will see a notification that the service account has been granted Log On As A Service permissions.

  11. If desired, repeat steps 8-10 for the sync service:

    Keyfactor Managed CA Sync Service
Note:  On upgrade, this information will not be retained and will need to be reconfigured.

If you need to reverse the custom service account and set it back to Network Service, follow the same steps as above but with these netsh commands:

netsh http delete urlacl url=http://+:8051/
netsh http add urlacl url=http://+:8051/ user="Network Service"