Universal Orchestrator

The Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux. is designed to run jobs at the request of the Keyfactor Command server. Jobs primarily perform certificate management tasks, but other types of operations are also supported. The orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. operates as a .NET Core based service on either a Windows or Linux server and communicates with a Keyfactor Command server to receive job tasks and report job results. Along with the job results, data can be returned to the Keyfactor Command server and stored in the Keyfactor Command SQL database. Extensions are hosted by the orchestrator and implement the jobs to be executed.

The orchestrator includes these built-in extensions:

• Discover and monitor certificates at TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. 1.3 endpoints either within the local network or across the internet using any of the 5 ciphersuites mentioned in appendix B.4 of RFC 8446. Certificates from the results of SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. discovery and monitoring are imported into Keyfactor Command for viewing, reporting and alerting purposes. Scanning using server name indication Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target. (SNI Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target.) is supported.
• Manage and deliver certificates in the machine certificate store on Windows servers using the Management Portal, and (optionally) bind the certificates to Internet Information Services (IIS) web sites. This feature is supported only on Windows installations.
• Manage and deliver certificates in PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. stores on FTP capable devices using the Management Portal, and associate them with PEM stores on FTP capable devices. Certificates from PEM stores on FTP capable devices can be imported into Keyfactor Command for viewing, reporting and alerting purposes.
• Retrieve logs generated on the orchestrator via the Keyfactor Command Management Portal. This task returns up to 2 MB of log data from the end of the orchestrator log file to be viewed in the Management Portal.
• Manage certificates from remote Microsoft Certificate Authorities (CAs) using the Management Portal. Certificates from remote CAs can be imported into Keyfactor Command for viewing, reporting and alerting purposes. This feature is supported only on Windows installations.

  If the remote CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. is domain-joined to a domain in the remote forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers., the Universal Orchestrator may be installed on the CA itself or on a separate server joined to a domain in the same forest (generally a server in the same domain as the CA). Multiple CAs in the same remote forest can be managed with a single Universal Orchestrator server. However, if the remote CA is not domain-joined, the Universal Orchestrator must be installed on the remote CA server.

  Note:  The Universal Orchestrator does not support certificate enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). for remote CAs. If you need this capability, you will need to use the Explicit Credentials option in the Management Portal CA configuration (see the Adding or Modifying a CA Record in the Keyfactor Command Reference Guide) or the Keyfactor Cross-Forest Gateway.

In addition, two types of custom extensions are supported:

• Manage and deliver certificates to certificate stores on various platforms and devices using custom certificate store types and orchestrator jobs in the Keyfactor Command Management Portal. With custom extensions, you can manage F5 devices, NetScaler devices, AWS resources and more.
• Run custom jobs on the orchestrator that fall outside the standard certificate management tasks. With custom jobs, you can perform operations locally on the orchestrator—or initiate them remotely across the network—and then report results back to Keyfactor Command along with data collected from the jobs, if any.

Custom extensions may be developed by Keyfactor or end users. For more information about custom extensions, contact your Keyfactor representative.