Modifications to the Policy Module Configuration

To make modifications to the Keyfactor Command Policy Module configuration:

  1. On the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. where you installed the Keyfactor Command Policy Module, open the Certification Authority management tool.
  2. In the Certification Authority management tool, right-click the CA name at the top of the tree and choose Properties.
  3. In the Properties dialog for the CA on the CA Policy Module tab if the Keyfactor Command Policy Module is not already selected, click Select, highlight the Keyfactor Command Custom Policy Module in the Set Active Policy Module dialog and click OK.

    Figure 408: Enable the Keyfactor Command Custom Policy Module

  4. In the Properties dialog for the CA on the CA Policy Module tab, click Properties, highlight the RFC 2818 Policy Handler, SAN Attribute Policy Handler, vSCEP Policy Handler, or Keyfactor Command Machine Whitelist Policy Handler on the list of available or loaded handlers on the Custom Handlers tab of the Policy Module Configuration Properties, click Load to move it over to the loaded handlers or Unload to move it over to the available (not in use) handlers. If more than one handler has been installed and moved to the loaded side, click Move Up and/or Move Down to change the processing order of the handlers. The order processing of the currently available handlers only matters for the RFC 2818 and SANClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. Attribute Policy Handlers—the SAN Attribute Policy Handler must come before the RFC 2818 Policy Handler. Click OK to save changes.

    Figure 409: Configure the vSCEP Policy Module Properties

  5. See Configuring the RFC2818 Policy Handler, Configuring the SAN Attribute Policy Handler, Configuring the vSCEP™ Policy Handler, or Configuring the Whitelist Policy Handler for details on configuring a specific policy handler.
  6. Click OK as many times as needed to close the configuration dialogs and save the configuration. You may be prompted to restart the CA services.

The configuration options for the policy handlers can also be found in the registry on the CA in the following paths (where CA_LOGICAL_NAME is the logical nameClosed The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two). of the local CA):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\CA_LOGICAL_NAME\PolicyModules\CMS_Custom.Policy\PolicyHandlers\vSCEP.PolicyHandler
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\CA_LOGICAL_NAME\PolicyModules\CMS_Custom.Policy\PolicyHandlers\CMSWhitelist.PolicyHandler
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\CA_LOGICAL_NAME\PolicyModules\CMS_Custom.Policy\PolicyHandlers\RFC2818.PolicyHandler
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\CA_LOGICAL_NAME\PolicyModules\CMS_Custom.Policy\PolicyHandlers\SANAttribute.PolicyHandler
Warning:  These registry keys should not be modified without advice from Keyfactor support.