Configure the Universal Orchestrator for Remote CA Management
If you've opted to enable the remote CA
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. management functionality for the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux., further configuration is needed on the orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. to configure the CA(s) that the orchestrator will manage.
To configure CAs for the orchestrator:
- On the orchestrator, open a text editor (e.g. Notepad) using the "Run as administrator" option.
-
In the text editor, browse to open the extensionoptions.json file for the Universal Orchestrator. The file is located in the configuration directory within the install directory, which is the following directory by default:
C:\Program Files\Keyfactor\Keyfactor Orchestrator\configuration -
In the extensionoptions.json file, locate the CertificateAuthority section.
Figure 533: CA Configuration Settings
- Either set the AdditionalCertificateAuthoritiesAllowed value to true or populate the CertificateAuthorities section with your CA information (see Table 770: Remote CA Configuration Parameters).
- Save the file.
- Restart the orchestrator service (see Start the Universal Orchestrator Service).
Table 770: Remote CA Configuration Parameters
|
Parameter |
Description |
|---|---|
| BatchSize |
An integer that specifies the number of certificate cache records to read from the Keyfactor Command in each data retrieval batch. The default is 10,000. Tip: Certificate cache information from Keyfactor Command is retrieved from and stored on the orchestrator to allow the orchestrator to calculate which records represent changes and return only those to Keyfactor Command on requests from Keyfactor Command for CA synchronization.
|
| CacheHours | An integer that specifies the number of hours for which to cache certificate information from Keyfactor Command on the orchestrator before clearing it. The default is 3. |
| RecordCountLimit | An integer that specifies the number of records to read from the CA(s) in each synchronization batch. The default is 5,000. |
| MaxErrorCount | An integer that specifies the number of times an attempt should be made to read records from the CA before the synchronization job ends with a failure. The default is 5. |
| AdditionalCertificateAuthoritiesAllowed | A Boolean that sets whether any CAs available to the orchestrator (to which the orchestrator has network access and sufficient permissions) should be considered as managed (True) or whether only those CAs specifically listed in the CertificateAuthorities parameter A parameter or argument is a value that is passed into a function in an application. should be considered as managed (False). If you set this value to True, you do not need to populate the CertificateAuthorities value. |
| CertificateAuthorities | An array of the certificate authorities that should be considered managed by the orchestrator. The certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. information includes: |
