Review the Policy Module Installation
This section describes advanced configuration of the Keyfactor Command Policy Module, the RFC 2818 Policy Handler, the SAN
The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. Attribute Policy Handler, the vSCEP™ Policy Handler, and the Whitelist Policy Handler. It is assumed that you have already completed the following steps described in the Install the Keyfactor Command Policy Module Handlers section in the Keyfactor Command Server Installation Guide:
RFC 2818 Policy Handler
- Install the Keyfactor Command Policy Module, selecting the RFC 2818 Policy Handler, on one or more CAs on which you want to automate inclusion of a DNS The Domain Name System is a service that translates names into IP addresses. SAN matching the CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). of the requested certificate
- Enable the RFC 2818 Policy Handler on the CAs in the Certificate Authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. properties, selecting the templates to which the policy handler applies
SAN Attribute Policy Handler
- Install the Keyfactor Command Policy Module, selecting the SAN Attribute Policy Handler, on one of more CAs on which you want to allow the addition of SANs not included in the CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. when making an enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). request using a CSR
- Enable the SAN Attribute Policy Handler on the CAs in the Certificate Authority properties, selecting the templates to which the policy handler applies
vSCEP™ Policy Handler
- Install the Keyfactor Command Policy Module, selecting the vSCEP™ Policy Handler, on the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. that will issue certificates for iOS enrollment via Keyfactor Command
- Enable the vSCEP™ Policy Handler on the CA in the Certificate Authority properties
- Optionally, add any non-Keyfactor Command SCEP servers to the vSCEP™ Policy Handler’s ignore list
Whitelist Policy Handler
- Install the Keyfactor Command Policy Module, selecting the Whitelist Policy Handler, on one or more CAs on which you want to restrict certificate enrollment to specified client computers for a given set of templates
- Enable the Whitelist Policy Handler on the CAs in the Certificate Authority properties, selecting the machines and templates to which the policy handler applies
If you missed any of these steps, you will need to complete them before the Keyfactor Command Policy Module with either the RFC 2818 Policy Handler or SAN Attribute Policy Handler can be used to modify requests, before the Keyfactor Command Policy Module with the vSCEP™ Policy Handler will be used for iOS enrollment, or before the Keyfactor Command Policy Module with the Whitelist Policy Handler can be used to gate certificate requests. For information, please see the Install the Keyfactor Command Policy Module Handlers section in the Keyfactor Command Server Installation Guide.
