Certificate Store Discovery
Certificate Store Discovery
The certificate store discovery feature is used to scan machines and devices for existing certificates and certificate stores, which can then be configured for management in Keyfactor Command. Certificate store discovery is supported for the following built-in features:
- PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. and Java certificate stores discovered by the Keyfactor Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed.. Only stores to which the service account running the Keyfactor Command Java Agent has at least read permissions will be returned on a discover job.
- F5 bundle and SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificates discovered by the Keyfactor Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. on F5 devices using the F5 REST API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. (v13+).
The small number that appears on the tab to the right of the word Discover indicates how many discovered stores there are, if any. This acts as a reminder to check the discover tab for stores after a discovery job is complete.
To use the certificate store discovery feature:
- On the Certificate Store page, select the Discover tab.
- On the Discover tab, click Schedule.
-
In the Schedule Discovery dialog, select Java Keystore A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption., PEM File, F5 CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Bundles REST, or F5 SSL Profiles REST in the Category field dropdown. The remaining fields in the dialog will vary slightly depending on the category you selected.
Java KeystoresFigure 244: Schedule Java Keystore Discover Job
PEM StoresFigure 245: Schedule PEM Certificate Store Discover Job
F5 CA Bundle REST StoresFigure 246: Schedule F5 CA Bundle Certificate Discover Job
F5 SSL Profile REST StoresFigure 247: Schedule F5 SSL Profile Certificate Discover Job
- In the Schedule Discovery dialog, select Java Keystore A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption., PEM File, F5 CA Bundles REST, or F5 SSL Profiles REST in the Category field dropdown. The remaining fields in the dialog will vary slightly depending on the category you selected.
- In the Orchestrator field, select the fully qualified domain name of the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux.1, Windows Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores., or Java Agent machine managing the scanning. In the case of Java Agents, this is also the machine you wish to scan for stores. This field is required.
- In the Schedule dropdown, select either Immediate, to run the discover job within a few minutes of saving it, or Exactly Once, to select a date and time for the job. The default is Immediate.
- For F5 discovery jobs, in the Client Machine field enter the fully qualified domain name or IP address of the F5 device to be scanned.
- For F5 discovery jobs, click Set Server Username and, in the Server Username dialog, choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.
Note: Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.
-
For F5 discovery jobs, click Set Server Password and, in the Server Password dialog, choose the source from which to load the password for the user specified with Set Server Username. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.
-
In the Directories to search field, specify the directory or directories to search. Multiple directories should be separated by commas. This field is required.
JavaFor Java discovery, enter at a minimum either "/" for a Linux server or "c:\" for a Windows server (without the quotation marks).
PEMFor PEM discovery, enter at a minimum either "/" for a Linux server or "c:\" for a Windows server (without the quotation marks).
F5For F5 discovery, enter "/" (without the quotation marks).
- For F5 discovery jobs, check the Use SSL box to use SSL to communicate with the F5 device or cluster. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).
- Populate the remaining optional fields as needed. See Table 16: Discovery Options.
- Click Save to schedule the discovery task. Once the scan begins, it may take several minutes to complete.
- Return to the Discover tab for the results of the scan. Check the Orchestrator Jobs page (see Orchestrator Job Status) to review jobs in progress.
Option |
Description |
---|---|
Category | Select the type of certificate store to scan. |
Orchestrator |
Select the fully qualified domain name of the Keyfactor Universal Orchestrator, Windows Orchestrator, or Java Agent machine managing the scanning. In the case of Java Agents, this is also the machine to be scanned for certificate stores. This field is required. |
Schedule |
Specify the schedule for the scan—Immediate or Exactly Once. If you select Exactly Once, select a date and time for the scan. The default is Immediate. |
Client Machine | For F5 devices, enter the fully qualified domain name or IP address of the F5 device or cluster to be scanned for certificates. This option applies only to F5 CA bundle and F5 SSL profile discover jobs. This field is required. |
Server Username | For F5 devices, set the username used to authenticated to the device or cluster. |
Server Password | For F5 devices, set the password used to authenticated to the device or cluster. |
Directories to search |
Specify the directory or directories to be searched. Multiple directories should be separated by commas. All directories specified to which the service account user (the user account that the Java agent is operating as or the user configured for the F5 device using the Change Credentials option) has read rights will be searched other than the excluded directories specified using the "Directories to ignore" option. It is not necessary to use quotation marks around directory paths containing spaces. For F5, the path should be specified as "/" (without the quotation marks). This field is required. |
Directories to ignore |
Specify any directories that should not be included in the search. Multiple directories should be separated by commas. It is not necessary to use quotation marks around directory paths containing spaces. |
Extensions |
Specify file extensions for which to search. For example, search for files with the extension jks but not txt. The dot should not be included when specifying extensions. |
File name patterns to match |
Specify all or part of a string against which to compare the file names of certificate store files and return only those that contain the specified string. It is not necessary to use quotation marks around strings containing spaces. |
Follow SymLinks |
If this option is specified, the tool will follow symbolic links on Linux and UNIX operating systems and report both the actual location of a found certificate store file in addition to the symbolic link pointing to the file. This option is ignored for searches of Windows-based Java Agents. |
Include PKCS12 Files |
If this option is specified, the tool will use the compatibility mode introduced in Java version 1.8 to locate both JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption. and PKCS12 type files. This option applies only to Java keystore discover jobs. |
Use SSL | For F5 devices, use SSL to communicate to the device or cluster. |
To manage discovered certificate stores:
- In the Management Portal, browse to Locations > Certificate Stores.
- On the Certificate Stores page, select the Discover tab.
- On the Discover tab, highlight one or more store row(s) in the grid and click Manage at the top of the grid or right-click the store in the grid and choose Manage from the right-click menu. Java keystores require entry of the store password or PAM credential access information during the approval process. If you select more than one Java keystore for approval at the same time, they must all share the same password or PAM information. The right-click menu supports operations on only one store at a time.
Figure 248: Discovered Certificate Stores
For a Java KeystoreIn the Approve Certificate Stores dialog configure the following fields:
- If desired, select a Container from the dropdown.
Click the Set Password button to enter the password for the keystore. In the Password dialog, the options are No Value, Load From Keyfactor Secrets, and Load From PAM Provider.
- Select a Type from the dropdown. The default is JKS.
Figure 250: Manage a Discovered Java Certificate Store
For a PEM certificate storeIn the Approve Certificate Stores dialog configure the following fields:
- If desired, select a Container from the dropdown.
- If the certificate store has a Separate Private Key file, select the True radio button.
- If the certificate store has a separate private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure., enter the path and filename for the key file in the Path to Private Key File field.
Figure 251: Manage a Discovered PEM Certificate Store
For an F5 CA Bundle certificateIn the Approve Certificate Store dialog configure the following fields:
- If desired, select a Container from the dropdown.
- In the Primary Node field, enter the fully qualified domain name of the F5 device that acts as the primary node in a highly available F5 implementation. If you're using a single F5 device, this will often be the same value you entered in the Client Machine field.Tip: Configuration of the primary node is necessary to allow management jobs that update certificates on the F5 device to wait until the primary node is available before making their update. Inventory jobs are carried out against any available node.
- In the Primary Node Check Retry Wait Seconds field, either accept the default value of 120 seconds or enter a new value. This value represents the number of seconds the orchestrator will wait after a pending management job cannot be completed because the primary node cannot be contacted before trying to contact the primary node again to retry the job.
- In the Primary Node Check Retry Maximum field, either accept the default value of 3 retry attempts or enter a new value. This value represents the number of times the orchestrator will retry a pending management job that is failing because the primary node cannot be contacted before declaring the job failed.
- In the Version of F5 dropdown, select the version of F5 this server is running. The F5 REST API is supported on version 13 and up.Tip: Select v15 for version 15 and above.
Click Set Server Username to choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.
Note: Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.Click Set Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.
- In the Use SSL section, select True to use SSL to communicate with the F5 device or cluster, if desired. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).
Figure 253: Manage a Discovered F5 CA Bundle Certificate
For an F5 SSL Profile certificateIn the Approve Certificate Store dialog configure the following fields:
- If desired, select a Container from the dropdown.
- In the Primary Node field, enter the fully qualified domain name of the F5 device that acts as the primary node in a highly available F5 implementation. If you're using a single F5 device, this will often be the same value you entered in the Client Machine field.Tip: Configuration of the primary node is necessary to allow management jobs that update certificates on the F5 device to wait until the primary node is available before making their update. Inventory jobs are carried out against any available node.
- In the Primary Node Check Retry Wait Seconds field, either accept the default value of 120 seconds or enter a new value. This value represents the number of seconds the orchestrator will wait after a pending management job cannot be completed because the primary node cannot be contacted before trying to contact the primary node again to retry the job.
- In the Primary Node Check Retry Maximum field, either accept the default value of 3 retry attempts or enter a new value. This value represents the number of times the orchestrator will retry a pending management job that is failing because the primary node cannot be contacted before declaring the job failed.
- In the Version of F5 dropdown, select the version of F5 this server is running. The F5 REST API is supported on version 13 and up.Tip: Select v15 for version 15 and above.
Click Set Server Username to choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.
Note: Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.Click Set Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.
- In the Use SSL section, select True to use SSL to communicate with the F5 device or cluster, if desired. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).
Figure 255: Manage a Discovered F5 SSL Profile Certificate
Discovered certificate stores can be deleted one at a time or in multiples.
To delete a discovered certificate store:
- In the Management Portal, browse to Locations > Certificate Stores.
- On the Certificate Stores page, select the Discover tab.
- On the Discover tab, highlight the row(s) in the discover grid of the store(s) to delete and click Delete at the top of the grid or right-click the store location in the grid and choose Delete from the right-click menu. The right-click menu supports operations on only one store at a time.
- On the Confirm Operation alert, click OK to confirm or Cancel to cancel the operation.