Add Certificate

The add certificate tool is typically used to import certificates that are not brought in either via CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization or by certificate store scans. The tool supports importing certificates with the following formats and extensions:

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:
Certificates > Import

To update metadataClosed Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates., the user must have:

Certificates > Collections > Metadata Modify

To assign a certificate owner (when none is set) or to change the existing default certificate owner, the user must have:

Certificates > Collections > Change Owner
OR
Certificates > Expanded Change Owner
AND
Security > Read (in the permission set containing the security role to which the certificate owner will be set)

This tool has several purposes, including:

If you import a certificate that has either already been imported via a synchronization task or has been manually imported previously, the certificate will not be re-imported. You will receive a notification message, when you save it, if the certificate already exists in the Keyfactor Command database. Any metadata currently stored in the database for that certificate will be displayed in the metadata fields on the page, and any changes you make to the metadata on this page will overwrite the existing metadata for the certificate when you complete the import (for all certificate formats).

To use the add certificate tool

  1. In the Management Portal, browse to Certificates > Add Certificate.
  2. In the Add Certificate section of the page, click the Upload button to open a browse window.
  3. In the browse window, browse to select the certificate you wish to import.
  4. For a certificate with an encrypted private key, when prompted enter the password for the encrypted key and Save. This will open the Add Certificate page, which will allow you to change/add metadata and choose certificate locations to deploy the certificate to. Set Private Key Password allows you to reenter the password once you have uploaded the certificate.

    Figure 60: Add Password for Certificate with Encrypted Private Key

  5. In the Certificate/PFX Details section of the page, review the certificate information.

    Figure 61: Add Certificate Information

  6. In the Metadata section of the page, populate any defined certificate metadata fields (see Certificate Metadata, Configuring Template Options, and Adding or Modifying an Enrollment Pattern) as appropriate. These fields may be required or optional depending on your metadata configuration. Required fields will be marked with *Required next to the field label. Any completed values will be associated with the certificate once it has been imported into Keyfactor Command. The order in which the metadata fields appear can be changed (see Sorting Metadata Fields).

    Email metadata fields will allow for multiple email addresses to be added via a pop-up text box where email addresses are entered separated by comma or semicolon. During entry the addresses will appear as a single row in the metadata grid. However, after saving each email address will be displayed on a separate row.

    Tip:  If a hint has been provided for a specific metadata field, it will display in parentheses to the right of the metadata label.

    Figure 62: Populate Metadata Fields

  7. The Certificate Owner section of the page appears if you set the Certificate Owner Role policy to Optional or Required at either the system-wide or enrollment policy level (see Configuring System-Wide Settings and Enrollment Pattern: Policies Tab). The certificate owner refers to a security role (not the users, individually), as defined in Keyfactor Command (see Security Roles and Claims). The Owner Role Name is a search select dropdown. To narrow the list of results in a search select dropdown, begin typing in the input field. Matching results will appear as you type. The roles available to choose from will depend on the certificate security configuration for the user (see security roles and permissions for Certificates).

    In all cases, the behavior of the Owner Role Name field—whether it is optional, required, or hidden—is determined by the system-wide policy or the specific policy defined on the enrollment pattern. If a default certificate owner is set on the enrollment pattern, the field will be pre-populated with that value—unless the acting user does not hold the default owner role.

    The following permissions determine which roles the user can assign as certificate owner:

    Figure 63: Select a Certificate Owner

    Note:  If the certificate being imported, or one of the certificates in its chain, already exists in the Keyfactor Command database and has an assigned certificate owner to which the user making the import request does not belong, the certificate owner will not be changed.
  8. In the Install into Certificate Locations section of the page, select each certificate store location to which you want to distribute the certificate, if desired. To do this, click the Include Certificate Stores button. This will cause the Select Certificate Store Locations dialog to appear. Make your certificate store selections in this dialog as described in Select Certificate Store Locations, below, and click Include and Close. You will then see some additional fields on the page. Populate these as per Add to Certificate Stores and Information Required for Certificate Stores, below.

  9. Click Save to import the certificate to Keyfactor Command
Note:  When you save this job, a new management job will be added to the orchestrator jobs list.

If an inventory job does not already exist for the certificate store, one will be added automatically to update Keyfactor Command with the changes to the certificate store. The inventory job will be configured to run either immediately or at the same exactly once time as the management job, depending on the configuration of the management job and then will be cleared.

Note:  When you import a certificate containing a private key (a .pfx or .p12 file), the private key for that certificate is stored in the Keyfactor Command database. Users with limited permissions to the Add Certificate function may have permissions to upload certificates but not store private keys. If a user with this permission model uploads a certificate containing a private key, the certificate itself will be imported (if it does not already exist in the database), but the private key will not be stored. The user will receive a message indicating this. For more information about setting permissions for importing certificates, see Security Roles and Claims.
Tip:  Click the help icon () next to the Add Certificate page title to open the Keyfactor Software & Documentation Portal to this section. You will receive a prompt indicating:

You are being redirected to an external website ‘software.keyfactor.com'. Would you like to proceed?

You can also find the help icon () at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.

Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).