Grant the Keyfactor Command Users and Service Account(s) Permissions on the CAs

In order for Keyfactor Command to be able to synchronize certificates from the CAs to the Keyfactor Command database, the service account under which Keyfactor Command makes a connection to the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. must have permissions to read the CA databases. For full Keyfactor Command functionality, additional permissions are needed. The permissions needed vary depending on the type of CA and the type of authorization you intend to configure to allow Keyfactor Command and users in Keyfactor Command to interact with the CA.

Microsoft CAs

When you configure Keyfactor Command access to a Microsoft CA, you have the option to enable the Use Explicit Credentials option. When this option is enabled, you enter a set of credentials that will be used specifically to access that Microsoft CA, and all management and enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). tasks for that CA are done in the context of that service account. If you do not enable the Use Explicit Credentials option, management tasks (e.g. revocation, certificate synchronization) and enrollments are done in the context of the service account(s) you configure for the Keyfactor Command Service and the application pool for Keyfactor Command (which are the same service account in many implementations) and individual users. The exact combination of what happens in the context of who depends on the configuration of the delegation options (Delegate management Operations and Delegate Enrollment) on the CA when the Use Explicit Credentials option is not enabled. Delegation is supported for both Basic authentication and Kerberos authentication (see Configure Kerberos Constrained Delegation (Optional)). Use of explicit credentials is mutually exclusive of delegation.

The users and service account(s) you will be using to connect to your Microsoft CA(s) from Keyfactor Command need some set of the following permissions on the CA, based on the configuration of authorization for the CA:

Table 769: Microsoft CA Permission Matrix provides information on what permissions are required based on possible authorization configurations.

Table 769: Microsoft CA Permission Matrix

  Use Explicit Credentials

Use Explicit Credentials

Delegate Management

Delegate Enrollment

Use Explicit Credentials

Delegate Management

Delegate Enrollment

Use Explicit Credentials

Delegate Management

Delegate Enrollment

Use Explicit Credentials

Delegate Management

Delegate Enrollment
Explicit CA-Specific User

Read

Issue & Manage Certificates

Manage CA

Request Certificates

 n/a n/a n/a n/a
Keyfactor Command Service Account None

Read

Request Certificates1

Read

Request Certificates2

Read

Request Certificates3

Read

Request Certificates4
Keyfactor Command Application Pool Account None

Read

Issue & Manage Certificates

Manage CA

Request Certificates5

Read

Issue & Manage Certificates

Manage CA

Request Certificates6

Read

Manage CA

Request Certificates

Read

Issue & Manage Certificates

Manage CA

Request Certificates
Individual Users None

Read

Issue & Manage Certificates

Request Certificates

Read

Request Certificates

Read

Issue & Manage Certificates

 None

In the management console for each CA that Keyfactor Command will be interacting with, open the properties for the CA and grant the users and service account(s) for Keyfactor Command the appropriate permissions for your environment before continuing.

Tip:  In order to support PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. and CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment through the Management Portal, the user initiating the enrollment in the Management Portal must be granted "Request Certificates" permission in the CA if enrollment delegation is enabled. In many environments, all Authenticated Users are granted this permission, allowing the Management Portal users to inherit the permission.
EJBCA CAs

Management (e.g. revocation, certificate synchronization) and enrollment requests to an EJBCA CA are made in the context of the end entity associated with the client certificate selected in each CA configuration in the Keyfactor Command Management Portal to provide authentication to the EJBCA CA (see Acquire a Client Certificate for EJBCA CA Authentication). The access rule created or used for this needs to grant sufficient permissions to allow the end entity to synchronize certificates. For full functionality, it needs the following permissions:

Figure 489: EJBCA Access Permissions

You may either create a new access rule that limits access to just these required permissions, or use an existing access rule. In either case, you need to add the certificate used to authenticate Keyfactor Command to the EJBCA CA as a member of that access rule.

Figure 490: Add Client Certificate as Member of EJBCA Access Rule