Preparing for the Keyfactor CA Policy Module

The preparation steps necessary for the Keyfactor CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Policy Module vary depending on the policy handler(s) you intend to use.

Important:  If you're upgrading from a previous version of the Keyfactor CA Policy Module, refer to the Keyfactor Command Upgrade Overview for important upgrade instructions and a required upgrade script. Newer versions of Keyfactor CA Policy Module cannot be installed over the top of existing Keyfactor CA Policy Module installations to complete an upgrade.

The policy handlers have the following preparation requirements:

During the configuration of the RFC 2818 Policy Handler, you will need to define the list of Microsoft certificate templates that will automatically be assigned a DNSClosed The Domain Name System is a service that translates names into IP addresses. SANClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. matching the certificate's CNClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). when a certificate enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). request reaches the CA. These templates are configured by selecting them from a list. You will need to have this list of templates ready.

During the configuration of the SAN Attribute Policy Handler, you will need to define the list of Microsoft certificate templates that will allow certificate enrollment requests via CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. to submit SANs outside of the CSR for inclusion in the final certificate, replacing any SANs originally in the CSR. These templates are configured by selecting them from a list. You will need to have this list of templates ready.

During the configuration of the SAN Attribute Policy Handler, you will need to define the list of Microsoft certificate templates that will be gated by the handler and the list of machines that will be allowed to use these templates. Any templates you include will be available for enrollment only from machines you include in the allowed list. The purpose of this handler is to force all enrollments to be made from the Keyfactor Command server(s), so the list of machines should include your Keyfactor Command server(s). The templates for this policy handler are configured by typing in their certificate template name (short name), so you will need an exact list of the templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. names.

In addition, you will need to have your Keyfactor product license available for upload into the policy module once installed to activate it.