Install the Keyfactor Whitelist Policy Handler
To begin the Whitelist Policy Handler installation, execute the KeyfactorCAModuleInstaller.msi file from the Keyfactor installation media and install as follows.
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. and may cause enrollments done outside Keyfactor Command against a Microsoft CA configured with the Whitelist Policy Handler to fail.-
On the first installation page, click Next to begin the setup wizard.
Figure 515: Install Whitelist Policy Handler: Begin Setup Wizard
- On the next page, read and accept the license agreement and click Next.
-
On the next page, select the components to install. For the Whitelist Policy Handler, deselect all the components except the Whitelist Policy Handler component. If desired, you can highlight Keyfactor Custom Policy Module and click Browse to select an alternate installation location for the files. The default installation location is:
C:\Program Files\Keyfactor\Keyfactor CA Modules
Figure 516: Install Whitelist Policy Handler: Select Components
- On the next screen, click Install.
- On the final installation wizard page, leave the "Launch the CA MMC snap-in now" box selected and click Finish. The Microsoft Certification Authority management tool should start automatically. This can take several seconds.
- In the Certification Authority management tool, right-click the CA name at the top of the tree and choose Properties.
-
In the Properties dialog for the CA on the CA Policy Module tab, click Select, highlight the Keyfactor Custom Policy Module in the Set Active Policy Module dialog and click OK.
Figure 517: Enable the Keyfactor CA Policy Module
- In the Properties dialog for the CA on the CA Policy Module tab, click Properties.
-
On the Licensing tab of the Policy Module Configuration Properties page, click Upload License and browse to locate the license file provided to you by Keyfactor. This file should have the extension CMSLICENSE.
Figure 518: Upload the Keyfactor CA Policy Module License
-
On the Custom Handlers tab of the Policy Module Configuration Properties page, highlight the CMS Machine Whitelist Policy on the list of available handlers, click Load to move it over to the loaded handlers, and click OK.
Figure 519: Enable the Whitelist Policy Handler
- On the Custom Handlers tab of the Policy Module Configuration Properties page, highlight CMS Machine Whitelist Policy under Loaded Handlers and click Configure.
-
On the Template
A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. tab of the Policy Module Configuration dialog, enter the certificate template names (short names), not the template display names, one at a time, of the certificate template(s) you want to manage with the whitelist policy handler and click Add. In many cases, the template name is the same as the template display name with the spaces removed. Any templates entered here will be available for enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). only from machines listed on the Machine Names tab.
Figure 520: Add Templates for Management with the Whitelist Policy Handler
-
On the Machine Names tab of the Policy Module Configuration dialog, enter the machine names (FQDNs), one at a time, of the machines that you want to manage with the whitelist policy handler and click Add. Any machines entered here will be allowed to enroll for the templates listed on the Templates tab.
Figure 521: Add Machines for Management with the Whitelist Policy Handler
- Click OK as many times as needed to close the configuration dialogs and save the configuration. You will be prompted to restart the CA services.
