Certificate Authorities

Your Microsoft and EJBCA certificate authorities (CAs) are defined in the Management Portal to support synchronization to the Keyfactor Command database and support enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. Microsoft CAs in the local forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. in which Keyfactor Command is installed or in a forest in a two-way trust with this forest may be imported from Active Directory or manually configured. Other Microsoft CAs and EJBCA CAs need to be manually configured. During initial provisioning, any domain-joined Microsoft CAs in the primary Active Directory forest will be imported automatically by the Keyfactor Command configuration wizard.

Important: In order for CAs to successfully synchronize to the Keyfactor Command database and perform other functions (e.g. enrollment), the service account under which Keyfactor Command is making the request to the CA

A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. must be granted appropriate permission to the CA database as per Grant the Keyfactor Command Users and Service Account(s) Permissions on the CAs.

CAs that need to be added manually include:

An EJBCA CA
A domain-joined enterprise or standalone Microsoft CA in a forest with a one-way trust (either direction) with the forest in which Keyfactor Command is installed.
A domain-joined enterprise or standalone Microsoft CA in a forest that has no trust with the forest in which Keyfactor Command is installed.
A non-domain-joined standalone Microsoft CA.
A Keyfactor CA gateway in the forest in which Keyfactor Command is installed that has not been registered in Active Directory.

The CA gateways are used to access cloud certificate providers (e.g. Entrust) using DCOM. DCOM gateways are available to support Microsoft or EJBCA CAs in remote or cloud environments (e.g. the Cross-Forest Gateway).

Note: Keyfactor CA gateways are not supported in any configuration other than in the same forest in which Keyfactor Command is installed.
A Keyfactor AnyCAGateway REST in the forest in which Keyfactor Command is installed that has not been registered in Active Directory.

The AnyCAGateway REST is used to access cloud certificate providers (e.g. Entrust) using HTTPS.
A Microsoft CA accessed via the CA Connector Client. This is often used with a managed instance of Keyfactor Command.
A EJBCA CA accessed via the CA Connector Client. This is often used with a managed instance of Keyfactor Command.
A Microsoft CA accessed via the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers..

Note: You must install and configure the Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. on a machine in the same forest where the Microsoft CA resides and configure it with CA Support and approve the orchestrator in the Management Portal before creating the CA record.

Note: All CAs need to be added manually if you’re using Keyfactor Command on a non-domain-joined server.

The majority of CA-related functions within Keyfactor Command are supported by both EJBCA and Microsoft CAs. Table 15: CA Function Matrix includes a list of CA-related functions and the support provided by EJBCA and Microsoft CAs.

Important: EJBCA integration with Keyfactor Command requires EJBCA version 7.8.1 or higher.

Table 15: CA Function Matrix

	EJBCA CA	Microsoft CA
CA Synchronization
Template1 Import
CA Threshold Monitoring (Issuance)
CA Threshold Monitoring (Failures)
CA Health Monitoring
Certificate Enrollment (PFX)
Certificate Enrollment (CSR)
Certificate Revocation
CRL Publishing Following Certificate Revocation
Keyfactor Command Private Key Retention and Key Recovery
CA-Level Key Archiving (* no longer supported as of Keyfactor Command v10)
CA-Level Key Recovery
Approvals in Workflow Builder
CA-Level Approvals with Pending, Issued and Denied Alerts
Supports use of Restrict Allowed Requesters for access control
Requires use of Restrict Allowed Requesters for access control
Requests to the CA can be done in the context of the user initiating the request
Requests to the CA can be done in the context of a single service account2
Supports use of Universal Orchestrator to access remote CA

Tip: Click the help icon (

) next to the Certificate Authorities page title to open the Keyfactor Software & Documentation Portal to this section. You will receive a prompt indicating:

You are being redirected to an external website. Would you like to proceed?

You can also find the help icon () at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.

Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).

Version v12.5

On this page: