Create or Identify Certificate Templates for Enrollment

This step only needs to be completed if your Keyfactor Command license includes certificate enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). and you plan to use this feature.

Note:  Keyfactor Command and this documentation use the term template generically to refer to Microsoft certificate templates and EJBCA certificate templates. EJBCA templates are built from the EJBCA end entity profile and certificate profile and named using a naming scheme of <end entity profile name>_<certificate profile name> and <end entity profile name> (<certificate profile name>) for the templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. name and template display name.

The enrollment function in the Keyfactor Command Management Portal is generally used by administrators to request certificates for use on servers, network devices, and similar equipment. There’s a good chance that certificate templates for these purposes already exist in your environment. To prepare for the Keyfactor Command installation, you need to gather a list of the CAs that will be used to issue certificates through the Keyfactor Command Management Portal and a list of the template names (vs template display names) of the templates that will be used for this (Microsoft CAs) or certificate profiles and end entity profiles (EJBCA CAs). If any new templates or profiles need to be created for this purpose, they should be created before completing the Keyfactor Command post-installation steps.

For Microsoft CAs, the security settings on your existing templates may need to be modified to allow users to enroll for certificates using them through the Keyfactor Command Management Portal, depending on how the templates have been used previously. For CAs in the local forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. (the forest in which Keyfactor Command is installed) and forests in a two-way trust with the local forest, enrollment through the Keyfactor Command Management Portal is often done in the context of the user logged into the portal. This differs from enrolling for a certificate through the Microsoft certificates MMC, where requests for computer certificates (such as web server certificates) are done in the context of the machine account from which the certificate is requested, not the user account, and thus the machine account needs permissions, not the user. When using the Keyfactor Command Management Portal, each of the users who will use one of the enrollment functions needs Read and Enroll permissions on the templates they will be using through the portal (see Grant the Keyfactor Command Users and Service Account(s) Permissions on the CAs for more details).

Tip:  Enrollment through the Keyfactor Command Management Portal against remote Microsoft CAs (CAs in a forest with either no trust with the forest in which Keyfactor Command is installed or a one-way trust) are done in the context of the service account configured on the Management Portal CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. record for Explicit Credentials (see Create Active Directory Service Accounts for Keyfactor Command).

The Keyfactor Command Management Portal offers the option of using a different set of CAs and templates for each of the two different enrollment methods—PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. and CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.. As you collect your list of CAs and templates, you will need to decide whether you want to use the same CAs and templates for both types of enrollment or whether each type of enrollment will have a unique list of CAs and templates.

The list of templates used for enrollment in the Keyfactor Command Management Portal is configured through the Keyfactor Command Management Portal template management. Although in previous releases of Keyfactor Command, the templates and CAs for enrollment were configured during installation, this is now done as a post-install step in the Management Portal. See Certificate Authorities and Certificate Template Operations in the Keyfactor Command Reference Guide.