Acquire a Certificate for Client Certificate Authentication (Optional)

The Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux. supports client certificate authentication to allow you to authenticate via client certificates from individual orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. machines to either a centralized proxy, such as a network load balancer, which would in turn authenticate to the Keyfactor Command server using either a username and password that was stored securely on the proxy or another client certificate, or directly using IIS on the Keyfactor Command to manage the certificate authentication and Active Directory to manage the mapping of client certificates to service accounts. The proxy approach allows orchestrator credentials to be assigned and managed outside the Active Directory forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. in which Keyfactor Command is installed. The web proxy's job is to confirm the validity of the certificate and to provide Active Directory credentials known to Keyfactor Command (if configured in this manner). Typically the proxy would be configured to accept all certificates issued from a given PKIClosed A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. implementation—even a PKI that is unknown to the Keyfactor Command Active Directory forest—thus delegating orchestrator access control to that PKI. For more information, see:

Important:  The Universal Orchestrator supports automated client certificate renewal using an extension point interface on the orchestrator that can be implemented by the end-user. The custom extension will generate a CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. with private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. and submit the CSR to Keyfactor Command for enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. Keyfactor Command will return the certificate to the orchestrator, which will pair it with its private key and use that certificate for authentication. See Register a Client Certificate Renewal Extension for more information.

There are several situations in which using certificate authentication for the Universal Orchestrator may be helpful, including:

  • Scale—To allow orchestrator numbers to scale (e.g. the IoT case) where it isn't practical to have a unique Active Directory account for each orchestrator.
  • Untrusted Environments—To support environments (e.g. a "hostile" network) where policy doesn't allow the password for an Active Directory account to be stored on the orchestrator.

The certificate that the Universal Orchestrator uses for authentication needs:

  • An extended key usage (EKU) of Client Authentication

    Figure 530: Microsoft Certificate Template Application Policies for Client Authentication Certificate

  • A key usage that includes Digital Signature

    Figure 531: Microsoft Certificate Template Request Handling for Client Authentication Certificate

On Windows servers, the certificate may be referenced either as a PKCS12 file stored in the file system or may be place either in the local machine's personal store (My), or, if you opt to run the Universal Orchestrator service as a domain service account rather than the default of Network Service, in the personal store of the Universal Orchestrator service account user. If you opt to place the certificate in the local machine store, you need to grant the service account under which the Universal Orchestrator service will run (including Network Service if you will use this option) read permissions to the private key of the certificate. If you opt to place the certificate in the personal store of the Universal Orchestrator service account user, it also needs to be placed in the personal store of the user running the installation for the duration of the installation to allow it to be read during initial configuration. It may be removed from the installing user's store after installation is complete.

On Linux servers, the certificate is referenced as a PKCS12 file stored in the file system.

To acquire a certificate for use by the Universal Orchestrator using a Microsoft CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA., first create a templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. using the appropriate configurations as described above and make it available for enrollment on the CA from which you will request the certificate. The simplest way to acquire a certificate as a PKCS12 file for either Linux or Windows use is with PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment in Keyfactor Command. There are multiple ways to acquire a certificate and place it in the machine store on the Windows server where the Universal Orchestrator will be installed, including:

Several of the above methods can also be used if you opt to enroll into the Universal Orchestrator service account user's personal store, though this option requires a few extra steps.

To enroll for a certificate using the certificates MMC into the local machine store:

  1. On the Universal Orchestrator machine, do one of following:
    • Using the GUI:
      1. Open an empty instance of the Microsoft Management Console (MMC).
      2. Choose File->Add/Remove Snap-in….
      3. In the Available snap-ins column, highlight Certificates and click Add.
      4. In the Certificates snap-in popup, choose the radio button for Computer account, click Next, accept the default of Local computer, and click Finish.
      5. Click OK to close the Add or Remove Snap-ins dialog.
    • Using the command line:
      1. Open a command prompt using the "Run as administrator" option.
      2. Within the command prompt type the following to open the certificates MMC:

        certlm.msc

  2. Drill down to the Personal folder under Certificates for the Local Computer, right-click, and choose All Tasks->Request New Certificate….
  3. Follow the certificate enrollment wizard, selecting the template you created or identified for use for this purpose, and providing any required information.
  4. When the enrollment completes, locate the certificate in the Personal store (you may need to refresh), highlight it, and choose All Tasks->Manage Private Keys….
  5. In the Permissions for private keys dialog, click Add, add the Universal Orchestrator service account—the account under which the Universal Orchestrator is running (created as per Create Service Accounts for the Universal Orchestrator)—and grant that service account Read but not Full control permissions. Click OK to save.