Keyfactor Universal Orchestrator

The Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. is designed to run jobs at the request of the Keyfactor Command server. Jobs primarily perform certificate management tasks, but other types of operations are also supported. The orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. operates as a .NET Core based service on a Windows server, Linux server, or in a container and communicates with a Keyfactor Command server to receive job tasks and report job results. Along with the job results, data can be returned to the Keyfactor Command server and stored in the Keyfactor Command SQL database. Extensions are hosted by the orchestrator and implement the jobs to be executed.

The orchestrator includes these built-in extensions:

• Discover and monitor certificates at TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. 1.3 endpoints either within the local network or across the internet using any of the 5 ciphersuites mentioned in appendix B.4 of RFC 8446. Certificates from the results of SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. discovery and monitoring are imported into Keyfactor Command for viewing, reporting and alerting purposes. Scanning using server name indication Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target. (SNI Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target.) is supported.
• Retrieve logs generated on the orchestrator via the Keyfactor Command Management Portal. This task returns up to 2 MB of log data from the end of the orchestrator log file to be viewed in the Management Portal. This features is supported only on full server installations.
• Manage certificates from remote Microsoft Certificate Authorities (CAs) using the Management Portal. Certificates from remote CAs can be imported into Keyfactor Command for viewing, reporting and alerting purposes. This feature is supported only on Windows installations.

  If the remote CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. is domain-joined to a domain in the remote forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers., the Universal Orchestrator may be installed on the CA itself or on a separate server joined to a domain in the same forest (generally a server in the same domain as the CA). Multiple CAs in the same remote forest can be managed with a single Universal Orchestrator server. However, if the remote CA is not domain-joined, the Universal Orchestrator must be installed on the remote CA server.

  Note:  The Keyfactor Universal Orchestrator does not support certificate enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). or management task such as revocation for remote CAs. If you need these capabilities, instead of using an orchestrator to communicate with your remote CAs you will need to use either the Explicit Credentials option in the Management Portal CA configuration (see Authentication Method Tab) or a CA Connector The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client (see The CA Connector Client).

In addition, custom extensions are fully supported. These extensions allow you to manage and deliver certificates to a wide range of platforms and devices using custom certificate store types and orchestrator jobs. Custom extensions may be developed either by your organization or by Keyfactor.

Keyfactor provides a collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). of publicly available extensions in the Integrations Catalog on GitHub:

Using these extensions, you can manage Windows certificate stores (such as IIS), JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption. and PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. stores, F5 appliances, Citrix NetScaler devices, AWS resources, and many other targets (see Installing Certificate Store Management Extensions).

For additional information about custom extensions or assistance developing new ones, contact your Keyfactor representative.