Certificate Store Operations

Before creating a certificate store in Keyfactor Command, you must approve an orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. to handle the store. Some orchestrators can be configured for auto-approval. See Orchestrator Auto-Registration and Orchestrator Management.

Certificate stores can be added manually or, for some types of stores, automatically using a discover process (see Certificate Store Discovery). To define a new certificate store location manually or edit an existing one:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page).
3. On the Certificate Stores tab, click Add to create a new store location, or click Edit from either the top or right-click menu to modify an existing one.
4. In the Certificate Stores dialog, select the type of certificate store in the Category dropdown. This field cannot be modified on an edit.
5. In the Container field, select a container into which to place the store for organization from your previously defined list, if desired. This field is optional. If no container matching the type of certificate store you are adding exists, no containers will be available in the dropdown (see Certificate Store Container Operations). Leave blank if you do not wish the certificate store to be associated with a specific store container. If you are using PAM and choose not to select a container, you will need to have created a PAM provider (see PAM Provider Configuration in Keyfactor Command) with no certificate store container in order for it to be available for selection when setting a user or password.
   For an Amazon Web Services Certificate Store

   • Enter the fully qualified domain name of the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux.1 Support for this functionality on the Keyfactor Universal Orchestrator requires the addition of a custom extension. Contact your Keyfactor representative for more information. or Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. machine that will manage the store in the Client Machine field. This field cannot be modified on an edit.
   • In the Store Path dropdown, select the region for your Amazon Web Service. This field cannot be modified on an edit.

   • Click the Set Access Key field to enter the API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. access key for your web service. In the Access Key dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider.

   • Click the Set Secret Key field to enter the API secret key for your web service. In the Secret Key dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider.

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

     CyberArk

     Select CyberArk in the Providers dropdown if your PAM provider is CyberArk. The remaining fields in the dialog will then be:

     • PrivateArk Protected Password Name—The name of the username or password in the safe (see Create a CyberArk Password).
     • PrivateArk Folder Name—The path and name of the folder that stores the CyberArk Password (e.g. Root or Root\MyDir).
     Delinea (formerly Thycotic)

     Select Delinea in the Providers dropdown if your PAM provider is Delinea. The remaining field in the dialog will then be:

     • Delinea Secret ID—The numeric ID of the secret to retrieve from Secret Server (see Create a Delinea Secret Server Secret).

     

     Figure 225: Add New Amazon Web Services Certificate Store

   For an F5 CA Bundles REST Certificate Store

   Tip:  F5 CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. bundle stores can be added using the certificate store discovery option rather than manually, if desired (see Certificate Store Discovery).

   • Enter the fully qualified domain name of the F5 device (or F5 cluster for a high availability deployment) on which the certificate store is located in the Client Machine field. This field cannot be modified on an edit.
   • In the Store Path field, enter the path to the CA bundle on the F5 device into which you want to install the certificate (e.g. /Common/myca-bundle). The Store Path name is case sensitive, so, for example, if the partition name on the F5 is "Common" it must be entered in the Store Path field as "Common" rather than "common". This field cannot be modified on an edit.
   • Select the name of the Keyfactor Universal Orchestrator2 Support for this functionality on the Keyfactor Universal Orchestrator requires the addition of a custom extension. Contact your Keyfactor representative for more information. or Windows Orchestrator machine that will manage the stores in the Orchestrator dropdown. The orchestrator must be approved in order to appear here. Some orchestrators can be configured for auto-approval. See Orchestrator Auto-Registration and Orchestrator Management.
   • In the Primary Node field, enter the fully qualified domain name of the F5 device that acts as the primary node in a highly available F5 implementation. If you're using a single F5 device, this will often be the same value you entered in the Client Machine field.
     Tip:  Configuration of the primary node is necessary to allow management jobs that update certificates on the F5 device to wait until the primary node is available before making their update. Inventory jobs are carried out against any available node.
   • In the Primary Node Check Retry Wait Seconds field, either accept the default value of 120 seconds or enter a new value. This value represents the number of seconds the orchestrator will wait after a pending management job cannot be completed because the primary node cannot be contacted before trying to contact the primary node again to retry the job.
   • In the Primary Node Check Retry Maximum field, either accept the default value of 3 retry attempts or enter a new value. This value represents the number of times the orchestrator will retry a pending management job that is failing because the primary node cannot be contacted before declaring the job failed.
   • In the Version of F5 dropdown, select the version of F5 this server is running. The F5 REST API is supported on version 13 and up.
     Tip:  Select v15 for version 15 and above.

   • Click Set Server Username to choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.

   • Click Set Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

     CyberArk

     Select CyberArk in the Providers dropdown if your PAM provider is CyberArk. The remaining fields in the dialog will then be:

     • PrivateArk Protected Password Name—The name of the username or password in the safe (see Create a CyberArk Password).
     • PrivateArk Folder Name—The path and name of the folder that stores the CyberArk Password (e.g. Root or Root\MyDir).
     Delinea (formerly Thycotic)

     Select Delinea in the Providers dropdown if your PAM provider is Delinea. The remaining field in the dialog will then be:

     • Delinea Secret ID—The numeric ID of the secret to retrieve from Secret Server (see Create a Delinea Secret Server Secret).
   • In the Use SSL section, select True to use SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. to communicate with the F5 device or cluster, if desired. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).

   

   Figure 226: Add New F5 CA Bundles REST Certificate Store Location

   For an F5 SSL Profile Certificate Store (SOAP)

   • Enter the fully qualified domain name of the F5 device on which the certificate store is located in the Client Machine field. This field cannot be modified on an edit.
   • In the Store Path field, enter the name of the partition on the F5 device into which you want to install the certificate. The Store Path name is case sensitive, so if the partition name on the F5 is "Common" it must be entered in the Store Path field as "Common" rather than "common". This field cannot be modified on an edit.
   • Select the name of the Windows Orchestrator machine that will manage the stores in theOrchestrator dropdown. The orchestrator must be approved in order to appear here. Orchestrators can be configured for auto-approval. See Orchestrator Auto-Registration and Orchestrator Management.
   • Click Set Server Username to choose the source from which to load a user valid on the F5 device with Administrator or Resource Administrator permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

   • Click Set Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

     CyberArk

     Select CyberArk in the Providers dropdown if your PAM provider is CyberArk. The remaining fields in the dialog will then be:

     • PrivateArk Protected Password Name—The name of the username or password in the safe (see Create a CyberArk Password).
     • PrivateArk Folder Name—The path and name of the folder that stores the CyberArk Password (e.g. Root or Root\MyDir).
     Delinea (formerly Thycotic)

     Select Delinea in the Providers dropdown if your PAM provider is Delinea. The remaining field in the dialog will then be:

     • Delinea Secret ID—The numeric ID of the secret to retrieve from Secret Server (see Create a Delinea Secret Server Secret).
   • In the Use SSL section, select True to use SSL to communicate with the F5 device or cluster, if desired. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).

   

   Figure 227: Add New F5 SSL Profile Certificate Store Location

   For an F5 SSL Profile REST Certificate Store

   Tip:  F5 SSL profile stores can be added using the certificate store discovery option rather than manually, if desired, if you opt to select the REST connection method (see Certificate Store Discovery).

   • Enter the fully qualified domain name of the F5 device (or F5 cluster for a high availability deployment) on which the certificate store is located in the Client Machine field. This field cannot be modified on an edit.
   • In the Store Path field, enter the name of the partition on the F5 device into which you want to install the certificate. The Store Path name is case sensitive, so if the partition name on the F5 is "Common" it must be entered in the Store Path field as "Common" rather than "common". This field cannot be modified on an edit.
   • Select the name of the Keyfactor Universal Orchestrator3 Support for this functionality on the Keyfactor Universal Orchestrator requires the addition of a custom extension. Contact your Keyfactor representative for more information. or Windows Orchestrator machine that will manage the stores in theOrchestrator dropdown. The orchestrator must be approved in order to appear here. Some orchestrators can be configured for auto-approval. See Orchestrator Auto-Registration and Orchestrator Management.
   • In the Primary Node field, enter the fully qualified domain name of the F5 device that acts as the primary node in a highly available F5 implementation. If you're using a single F5 device, this will often be the same value you entered in the Client Machine field.
     Tip:  Configuration of the primary node is necessary to allow management jobs that update certificates on the F5 device to wait until the primary node is available before making their update. Inventory jobs are carried out against any available node.
   • In the Primary Node Check Retry Wait Seconds field, either accept the default value of 120 seconds or enter a new value. This value represents the number of seconds the orchestrator will wait after a pending management job cannot be completed because the primary node cannot be contacted before trying to contact the primary node again to retry the job.
   • In the Primary Node Check Retry Maximum field, either accept the default value of 3 retry attempts or enter a new value. This value represents the number of times the orchestrator will retry a pending management job that is failing because the primary node cannot be contacted before declaring the job failed.
   • In the Version of F5 dropdown, select the version of F5 this server is running. The F5 REST API is supported on version 13 and up.
     Tip:  Select v15 for version 15 and above.

   • Click Update Server Username to choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.

   • Click Update Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

     CyberArk

     Select CyberArk in the Providers dropdown if your PAM provider is CyberArk. The remaining fields in the dialog will then be:

     • PrivateArk Protected Password Name—The name of the username or password in the safe (see Create a CyberArk Password).
     • PrivateArk Folder Name—The path and name of the folder that stores the CyberArk Password (e.g. Root or Root\MyDir).
     Delinea (formerly Thycotic)

     Select Delinea in the Providers dropdown if your PAM provider is Delinea. The remaining field in the dialog will then be:

     • Delinea Secret ID—The numeric ID of the secret to retrieve from Secret Server (see Create a Delinea Secret Server Secret).
   • In the Use SSL section, select True to use SSL to communicate with the F5 device or cluster, if desired. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).

   

   Figure 228: Add New F5 SSL Profile REST Certificate Store Location

   For an F5 Web Server Certificate Store (SOAP)

   • Enter the fully qualified domain name of the F5 device on which the certificate store is located in the Client Machine field. This field cannot be modified on an edit.
   • The Store Path is configured to a fixed value for this type of store and cannot be changed.
   • Select the name of the Windows Orchestrator machine that will manage the stores in theOrchestrator dropdown. The orchestrator must be approved in order to appear here. Orchestrators can be configured for auto-approval. See Orchestrator Auto-Registration and Orchestrator Management.
   • Click Set Server Username to choose the source from which to load a user valid on the F5 device with Administrator or Resource Administrator permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

   • Click Set Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

     CyberArk

     Select CyberArk in the Providers dropdown if your PAM provider is CyberArk. The remaining fields in the dialog will then be:

     • PrivateArk Protected Password Name—The name of the username or password in the safe (see Create a CyberArk Password).
     • PrivateArk Folder Name—The path and name of the folder that stores the CyberArk Password (e.g. Root or Root\MyDir).
     Delinea (formerly Thycotic)

     Select Delinea in the Providers dropdown if your PAM provider is Delinea. The remaining field in the dialog will then be:

     • Delinea Secret ID—The numeric ID of the secret to retrieve from Secret Server (see Create a Delinea Secret Server Secret).
   • In the Use SSL section, select True to use SSL to communicate with the F5 device or cluster, if desired. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).

   

   Figure 229: Add New F5 Web Server Certificate Store Location

   For an F5 Web Server REST Certificate Store

   • Enter the fully qualified domain name of the F5 device (or F5 cluster for a high availability deployment) on which the certificate store is located in the Client Machine field. This field cannot be modified on an edit.
   • The Store Path is configured to a fixed value for this type of store and cannot be changed.
   • Select the name of the Keyfactor Universal Orchestrator4 Support for this functionality on the Keyfactor Universal Orchestrator requires the addition of a custom extension. Contact your Keyfactor representative for more information. or Windows Orchestrator machine that will manage the stores in theOrchestrator dropdown. The orchestrator must be approved in order to appear here. Some orchestrators can be configured for auto-approval. See Orchestrator Auto-Registration and Orchestrator Management.
   • In the Primary Node field, enter the fully qualified domain name of the F5 device that acts as the primary node in a highly available F5 implementation. If you're using a single F5 device, this will typically be the same value you entered in the Client Machine field.
     Tip:  Configuration of the primary node is necessary to allow management jobs that update certificates on the F5 device to wait until the primary node is available before making their update. Inventory jobs are carried out against any available node.
   • In the Primary Node Check Retry Wait Seconds field, either accept the default value of 120 seconds or enter a new value. This value represents the number of seconds the orchestrator will wait after a pending management job cannot be completed because the primary node cannot be contacted before trying to contact the primary node again to retry the job.
   • In the Primary Node Check Retry Maximum field, either accept the default value of 3 retry attempts or enter a new value. This value represents the number of times the orchestrator will retry a pending management job that is failing because the primary node cannot be contacted before declaring the job failed.
   • In the Version of F5 dropdown, select the version of F5 this server is running. The F5 REST API is supported on version 13 and up.
     Tip:  Select v15 for version 15 and above.

   • Click Update Server Username to choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.

   • Click Update Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

     CyberArk

     Select CyberArk in the Providers dropdown if your PAM provider is CyberArk. The remaining fields in the dialog will then be:

     • PrivateArk Protected Password Name—The name of the username or password in the safe (see Create a CyberArk Password).
     • PrivateArk Folder Name—The path and name of the folder that stores the CyberArk Password (e.g. Root or Root\MyDir).
     Delinea (formerly Thycotic)

     Select Delinea in the Providers dropdown if your PAM provider is Delinea. The remaining field in the dialog will then be:

     • Delinea Secret ID—The numeric ID of the secret to retrieve from Secret Server (see Create a Delinea Secret Server Secret).
   • In the Use SSL section, select True to use SSL to communicate with the F5 device or cluster, if desired. The F5 device must trust the CA that issued the certificate used to protect the Keyfactor Command server if you select this option or you must set the Ignore Server SSL Warnings application setting to True (see Application Settings).

   

   Figure 230: Add New F5 Web Server REST Certificate Store Location

   For a File Transfer Protocol Certificate Store

   • Enter the fully qualified domain name of the machine on which the certificate store is located in the Client Machine field. This field cannot be modified on an edit.
   • In the Store Path field, enter the name of the directory containing the PEM certificate store(s) you wish to manage via FTP. The directory name is given relative to the FTP root and should include a leading forward slash (/) for both Windows and Linux FTP servers. Enter just a forward slash to manage the FTP root. This field cannot be modified on an edit.
   • Select the name of the Keyfactor Universal Orchestrator or Windows Orchestrator machine that will manage the stores in the Orchestrator dropdown. The orchestrator must be approved in order to appear here. Some orchestrators can be configured for auto-approval. See Orchestrator Auto-Registration and Orchestrator Management.
   • Click Update Server Username to choose the source from which to load a user valid on the FTP server with sufficient permissions to read and/or write to the file storage location as needed. In the Server Username dialog, the options are No Value, Load From Keyfactor Secrets, and Load From PAM Provider.

   • Click Update Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are No Value, Load From Keyfactor Secrets, and Load From PAM Provider.

     Select No Value if your FTP server supports anonymous and you wish to connect using this.

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

     CyberArk

     Select CyberArk in the Providers dropdown if your PAM provider is CyberArk. The remaining fields in the dialog will then be:

     • PrivateArk Protected Password Name—The name of the username or password in the safe (see Create a CyberArk Password).
     • PrivateArk Folder Name—The path and name of the folder that stores the CyberArk Password (e.g. Root or Root\MyDir).
     Delinea (formerly Thycotic)

     Select Delinea in the Providers dropdown if your PAM provider is Delinea. The remaining field in the dialog will then be:

     • Delinea Secret ID—The numeric ID of the secret to retrieve from Secret Server (see Create a Delinea Secret Server Secret).
   • In the Use SSL section, select True to use SSL to communicate with the FTP server, if desired.

   

   Figure 231: Add New FTP Certificate Store Location

   For an IIS Certificate Store

   The options are the same for all three types of IIS certificate stores (IIS Personal, IIS Revoked and IIS Trusted Roots).

   • Enter the fully qualified domain name of the server on which the certificate store is located in the Client Machine field. This field cannot be modified on an edit.
     Important:  Use the actual hostname The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername). of the IIS server in the Client Machine field rather than a DNS The Domain Name System is a service that translates names into IP addresses. alias (either "A" or CNAME records). This is necessary because the orchestrator uses PowerShell remoting for some of the machine certificate store functions, which relies on Kerberos authentication. Kerberos authentication requires that the target machine has a service principal name (SPN) in the HTTP/ format assigned to the target’s machine account. This will be present by default (as part of the HOST/ format record) as long as the HTTP/ format SPN has not been manually assigned elsewhere. Using an alias gets into complexities of setting up appropriate SPNs and assuring that there are not duplicate SPNs in the environment. If you wish to manage the IIS server hosting Keyfactor Command, you will need to use a DNS alias for either your Keyfactor Command server or the IIS store access. Contact Keyfactor for design assistance.
   • The Store Path is configured to a fixed value for this type of store and cannot be changed.

   • Select the name of the Keyfactor Universal Orchestrator or Windows Orchestrator machine that will manage the stores in theOrchestrator dropdown. The orchestrators must be approved in order to appear here. Some orchestrator can be configured for auto-approval. See Orchestrator Auto-Registration and Orchestrator Management.

     Tip:  When managing IIS stores, the orchestrator does so with the account it’s running as (its own service account credentials). The orchestrator service account needs sufficient permissions to be able to install, delete, and update certificates. Typically, this would be a domain account that has local administrator permission on the IIS machines it needs to manage.

   • In the Use SSL section, select True to cause the orchestrator to use SSL over port 5986 (by default) when communicating with IIS targets using Microsoft Windows Remote Management (WinRM). Selecting False will cause communications to occur over port 5985 (by default). WinRM HTTPS is not enabled by default. For more information, see Configure the Targets for IIS Management in the Keyfactor Orchestrators Installation and Configuration Guide.

   

   Figure 232: Add New IIS Personal Certificate Store Location

   For a Java Keystore

   Tip:  Java keystores can be added using the certificate store discovery option rather than manually, if desired (see Certificate Store Discovery).

   • Enter the fully qualified domain name of the machine on which the keystore is or will be located in the Client Machine field. This field cannot be modified on an edit.
   • In the Store Path field, enter the full path to the keystore on that machine, including the file name. Paths and filenames entered for Linux/UNIX machines are case sensitive. This field cannot be modified on an edit.
   • Select the Type from the dropdown. The available types are:
     • JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption.
       Standard Java keystore.
     • PKCS12
       PKCS12 type files (e.g. P12 A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. or PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers.), which are discoverable with the Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. using compatibility mode introduced in Java version 1.8.
     • Windows-My
       Windows local machine personal certificate store. This option is only supported with a custom extension based on the AnyAgent The AnyAgent, one of Keyfactor's suite of orchestrators, is used to allow management of certificates regardless of source or location by allowing customers to implement custom agent functionality via an API. framework. The Keyfactor Java Agent does not include functionality to manage this type of store.

   • Click Set Store Password. The Store Password dialog will open. In the Store Password dialog, the options are No Value, Load From Keyfactor Secrets, and Load From PAM Provider.

     Select No Value if your keystore does not have a password configured.

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

     CyberArk

     Select CyberArk in the Providers dropdown if your PAM provider is CyberArk. The remaining fields in the dialog will then be:

     • PrivateArk Protected Password Name—The name of the username or password in the safe (see Create a CyberArk Password).
     • PrivateArk Folder Name—The path and name of the folder that stores the CyberArk Password (e.g. Root or Root\MyDir).
     Delinea (formerly Thycotic)

     Select Delinea in the Providers dropdown if your PAM provider is Delinea. The remaining field in the dialog will then be:

     • Delinea Secret ID—The numeric ID of the secret to retrieve from Secret Server (see Create a Delinea Secret Server Secret).
   • If the keystore does not already exist and you would like to create it, check the Create Certificate Store box. This will cause the file to be created on the target.

   

   Figure 233: Add New Java Keystore Location

   For a NetScaler Certificate Store

   • Enter the fully qualified domain name of the Citrix ADC (a.k.a. NetScaler) device on which the certificate store is located in the Client Machine field. This field cannot be modified on an edit.
   • In the Store Path field, enter the name of the directory on the Citrix ADC device containing the certificate store(s) you wish to manage. The Store Path name is case sensitive. This field cannot be modified on an edit.
   • Select the name of the Keyfactor Universal Orchestrator5 Support for this functionality on the Keyfactor Universal Orchestrator requires the addition of a custom extension. Contact your Keyfactor representative for more information. or Windows Orchestrator machine that will manage the stores in the Orchestrator dropdown. The orchestrator must be approved in order to appear here. Some orchestrators can be configured for auto-approval. See Orchestrator Auto-Registration and Orchestrator Management.

   • Click Set Server Username to choose the source from which to load a user valid on the Citrix ADC device with partition-admin permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider.

   • Click Set Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider.

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea (formerly Thycotic).

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider.

     CyberArk

     Select CyberArk in the Providers dropdown if your PAM provider is CyberArk. The remaining fields in the dialog will then be:

     • PrivateArk Protected Password Name—The name of the username or password in the safe (see Create a CyberArk Password).
     • PrivateArk Folder Name—The path and name of the folder that stores the CyberArk Password (e.g. Root or Root\MyDir).
     Delinea (formerly Thycotic)

     Select Delinea in the Providers dropdown if your PAM provider is Delinea. The remaining field in the dialog will then be:

     • Delinea Secret ID—The numeric ID of the secret to retrieve from Secret Server (see Create a Delinea Secret Server Secret).
   • In the Use SSL section, select True to use SSL to communicate with the Citrix ADC device or cluster, if desired.

   

   Figure 234: Add New NetScaler Certificate Store Location

   For a PEM Certificate Store

   Tip:  PEM stores can be added using the certificate store discovery option rather than manually, if desired (see Certificate Store Discovery).

   • Enter the fully qualified domain name of the machine on which the certificate store is located in the Client Machine field. This field cannot be modified on an edit.
   • In the Store Path field, enter the full path to the store on that machine, including the file name. Paths and filenames entered for Linux/UNIX machines are case sensitive. This field cannot be modified on an edit.
   • In the Separate Private Key section, select True if the private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. for the certificate is stored in a separate file from the certificate.
   • If you selected True in the Separate Private Key section, enter the full path to the private key on the machine, including the file name, in the Path to Private Key File field. Paths and filenames entered for Linux/UNIX machines are case sensitive.

   

   Figure 235: Add New PEM Certificate Store Location

6. In the Inventory Schedule fields, select an inventory schedule for the store, if desired. You can choose to run the inventory Daily, on an Interval, Immediately, Exactly Once, or set inventorying to Off.
   • If you select Daily, you can set the time of day when the inventory should begin every day.
   • If you select Interval, you can select a scan frequency of anywhere from every 1 minute to every 12 hours.
   • If you select Immediate, the inventory will run within a few minutes of saving the record and will run only once. After this, the inventory schedule will be cleared.
   • If you select Exactly Once, you can select a date and time at which to run the inventory job. After the job has run, the inventory schedule will be cleared.
   • Select Off to disable the inventory job.

   If you are using Certificate Store Containers (see Certificate Store Containers) to manage your stores and their schedules you do not need to set an inventory schedule here.

7. Click Save to save the new or edited certificate store location.

To delete a certificate store:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page).
3. On the Certificate Stores tab, highlight the row(s) in the certificate store grid of the store(s) to delete and click Delete at the top of the grid or right-click the store location in the grid and choose Delete from the right-click menu. The right-click menu supports operations on only one store at a time.
4. On the Confirm Operation alert, click OK to confirm or Cancel to cancel the operation.

Users without modify permissions to certificate stores will see a View option instead of an Edit option on the Certificate Stores page to allow them to see a read-only view of the certificate store configuration details.

To view the details of a certificate store:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page).
3. On the Certificate Stores tab, highlight the row in the certificate store grid of the store for which to view certificate store details and click View at the top of the grid or right-click the store location in the grid and choose View from the right-click menu.

The fields are the same as those described for adding or editing a certificate store (see Adding or Modifying a Certificate Store), but none of the fields are editable when using the View option.

The Reenrollment option is available for:

• PEM certificate stores managed by the Native Agent.

• PEM and Java certificate stores managed by the Java and Android Agents.

• Any custom certificate store types created with the AnyAgent Framework to support this functionality.

To begin a reenrollment:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page).
3. On the Certificate Stores tab, highlight the row in the certificate store grid of the store to reenroll and click Reenrollment at the top of the grid or right-click the store location in the grid and choose Reenrollment from the right-click menu.
4. On the Reenrollment dialog, enter a Subject Name for the new certificate using X.500 format and add an Alias for Java stores. PEM store reenrollments do not display the Alias field.
5. If desired, select a Certificate Authority to direct the enrollment request to and/or Template for the request.
   Note:  If you don't select a template or CA for reenrollment, the values configured for the "Template For Submitted CSRs" and/or "Certificate Authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. For Submitted CSRs" application setting(s) (see Application Settings) will be used.
6. Click Done to submit the request.

The reenrollment job will be scheduled to run immediately. Visit the Orchestrator Jobs page to check on the progress of the job (see Orchestrator Job Status).

The option to reset the password on a certificate store updates the data for the certificate store as stored in the Keyfactor Command database but does not make any modifications to the certificate store itself. This option is available from the right-click menu only.

To reset the password for a certificate store:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page).
3. On the Certificate Stores tab, highlight the row in the certificate store grid of the store to update and choose Set New Password from the right-click menu.
4. Enter and confirm the new password and click Save.

Before assigning a certificate store to a container, you need to create the container (see Certificate Store Containers). If you select multiple certificate stores to assign to a container at once, they must all be stores of the same type (e.g. PEM).

To assign a certificate store to a container:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page).
3. On the Certificate Stores tab, highlight the row(s) in the certificate store grid of the store(s) to be assigned to the container and click Assign Container at the top of the grid or right-click the store location in the grid and choose Assign Container from the right-click menu. The right-click menu supports operations on only one store at a time.
4. Select a certificate store container in the Container Name field and click Save.

Once at least one inventory job has been completed for a given certificate store, you can view the certificates imported from the store.

To view the inventoried certificates for a store:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page).
3. On the Certificate Stores tab, highlight the row in the certificate store grid of the store for which to view inventory and click View Inventory at the top of the grid or right-click the store location in the grid and choose View Inventory from the right-click menu.

On the left of the inventory viewing dialog you can select a certificate from the store to view. On the right of the dialog you can see details about that certificate, including the metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. associated with the certificate. In the Certificate Selection area of the screen, you can select between the chain certificates for the selected certificate and the end entity certificate, for certificates stored with a chain.

Scheduling inventory for a certificate store allows Keyfactor Command to inspect the certificates inside a given store and add them to the Keyfactor Command database.

To schedule inventory:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page).
3. On the Certificate Stores tab, highlight the row(s) in the certificate store grid of the store(s) for which you want to schedule inventory and click Schedule Inventory at the top of the grid, or choose Schedule Inventory from the right-click menu. The right-click menu supports operations on only one store at a time.
4. In the Certificate Store Inventory Schedule dialog, select a schedule for the store(s). You can choose to run the inventory Daily, on an Interval, Immediately, Exactly Once, or set inventorying to Off.
   • If you select Daily, you can set the time of day when the inventory should begin every day.
   • If you select Interval, you can select a scan frequency of anywhere from every 1 minute to every 12 hours.
   • If you select Immediate, the inventory will run within a few minutes of saving the record and will run only once. After this, the inventory schedule will be cleared.
   • If you select Exactly Once, you can select a date and time at which to run the inventory job. After the job has run, the inventory schedule will be cleared.
   • Select Off to disable the inventory job.

You have the option to not schedule inventory on a store-by-store basis and instead create containers and set inventory schedules that will apply to all the stores added to each container. See Certificate Store Containers for information on creating containers.