Certificate Authority Operations
Certificate Authority Operations
During installation of Keyfactor Command, CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. records are created for any Microsoft CAs found in the local forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. in which Keyfactor Command is installed. If you have Microsoft CAs in separate forests in a two-way trust with the forest in which Keyfactor Command is installed, you will need to use the import option to import CA records from those forests. If you have Microsoft CAs in any other configuration or EJBCA CAs, you will need to manually configure CA records for them.
Microsoft CA and Keyfactor CA gateway records from the Active Directory forest in which Keyfactor Command is installed and any Active Directory forests in a two-way trust with this forest may be imported using the Import option.
To import CA records:
- In the Management Portal, browse to Locations > Certificate Authorities.
- On the Certificate Authorities grid, click the Import action button to import local or two-way trusted forest CAs and Keyfactor CA gateways.
-
In the Import Certificate Authorities dialog,
select the forest from which you want to import in the dropdown and click Import.
Figure 199: Import Certificate Authorities
Your certificate authorities and CA gateways will be retrieved from Active Directory in the trusted forest and will populate the CA grid. Import once for each forest containing Microsoft CAs that you want to synchronize or use for enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)..
Once the records are imported, use the Edit option (see Adding or Modifying a CA Record) to configure synchronization and other optional settings for the CA.
Tip: This step does not need to be completed for the forest in which Keyfactor Command is installed because those records are imported during the installation process.Note: Keyfactor CA gateways are not supported in any configuration other than in the same forest in which Keyfactor Command is installed.Note: The import option only works for Microsoft CAs or Keyfactor CA gateways that have been registered in Active Directory.
As of Keyfactor Command version 10, CA connections can be tested from the Certificate Authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. page. There are two new action buttons on the Certificate Authority dialog, Test Connection and Save and Test, in addition to the Cancel button.
Certificate Authorities will be tested before they are saved to the database and must be valid and reachable to be saved. If the CA can't be verified, an error message with an explanation of the issue will be displayed and added to the Command_API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command._Log.
-
For EJBCA, the test checks that the CA name provided is valid for the given EJBCA instance. It validates the hostname The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername)., enabled APIs, and authentication certificate. The version is validated (7.8.1 or greater) and connecting to both the REST v1 and SOAP APIs is also validated.
-
For Microsoft, the test checks the forest, logical name The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two)., CA host, and explicit credentials by using a certutil ping.
-
Remote CAs (managed by an orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores.) will not have the connection tested before saving the CA. The Test Connection button will be active, but you will receive a message that the connection cannot be tested if you click it. The Save and Test button will skip the test when saving.
To test a CA record:
- In the Management Portal, browse to Locations > Certificate Authorities.
- On the Certificate Authorities grid, click Add to add a new CA, or click Edit to modify an existing CA, from either the top or right-click menu.
- Follow the instructions for adding or modifying a CA (see Adding or Modifying a CA Record). Once you have entered the details you want to test, click Test Connection or Save and Test. Upon a successful test, you will receive a green success notification at the bottom of the page. Upon a test failure, you will receive a pop-up message with the details of the failure; a message will also be added to the log.
Whether your CA has been imported or added manually, you'll need to update it to configure synchronization and other optional settings.
Certificate Authorities that need to be added manually include:
- A Microsoft enterprise or standalone CA that is installed on a machine that is domain-joined to a forest that is in a one-way trust with the forest in which Keyfactor Command is installed
- A Microsoft enterprise or standalone CA that is installed on a machine that is domain-joined to a forest that has no trust with the forest in which Keyfactor Command is installed
- An EJBCA CA
- A non-domain-joined Microsoft standalone CA
- A CA accessed via the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux. or Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location.
- A Microsoft enterprise or standalone CA that is installed on a machine that is domain-joined to the forest in which Keyfactor Command is installed or a forest that is in a two-way trust with the forest in which Keyfactor Command is installed but has not be registered in Active Directory
- A Keyfactor CA gateway or CA management gateway that has not been registered in Active Directory
If your Microsoft CA or Keyfactor CA gateway is domain-joined in the forest in which Keyfactor Command is installed or a forest in a two-way trust with this forest and has been registered in Active Directory, you can opt to add a record for it manually, but it is generally easier to use the import option (see Importing Trusted Forest CAs).
To create a CA record manually or edit an existing one:
- In the Management Portal, browse to Locations > Certificate Authorities.
- On the Certificate Authorities grid, click Add to add a new CA, or click Edit from either the top or right-click menu to modify an existing one.
- At the top of the dialog, choose an appropriate CA communication protocol in the Select CA Communication Protocol dropdown. The options are:
- DCOM—Select this option for Microsoft CAs and CA gateways.
- HTTPS—Select this option for EJBCA CAs.
This field cannot be modified on an edit.
-
The remainder of the Certificate Authority dialog shows four tabs. Only the first three are used for EJBCA CAs. Complete the Certificate Authority dialog with the appropriate data using the following instructions:
The Basic TabIn the Details section populate the Logical Name, Host Name and Configuration Tenant fields with the appropriate information for the CA. (The Enforce Unique DN checkbox applies only to the HTTPS Certificate Authorities).
The Configuration Tenant field cannot be modified on an edit.
Tip: Previous versions of Keyfactor Command referred to the Configuration Tenant as the Template Forest.Domain-Joined Enterprise or Standalone Microsoft CA in a Forest with a One-Way Trust (either direction) with the Forest in which Keyfactor Command is Installed- Logical Name—The logical name of the CA in the remote forest. For example: Corp2IssuingCA1
-
Host Name—The fully qualified domain name of the server on which the CA in the remote forest is installed. For example: corp2ca01.keyother.com
-
Configuration Tenant—The DNS The Domain Name System is a service that translates names into IP addresses. domain name for the Active Directory forest in which the CA resides. For example: keyother.com
Domain-Joined Enterprise or Standalone Microsoft CA in a Forest that has No Trust with the Forest in which Keyfactor Command is Installed- Logical Name—The logical name of the CA in the remote forest. For example: Corp3IssuingCA1
-
Host Name—The fully qualified domain name of the server on which the CA in the remote forest is installed. For example: corp3ca01.keyother2.com
-
Configuration Tenant—The DNS domain name for the Active Directory forest in which the CA resides. For example: keyother2.com
EJBCA CA-
Logical Name—The logical name of the EJBCA CA. For example: CorpCA1
Note: EJBCA CA logical names are case sensitive (e.g. CorpCA1 is not the same as CORPCA1). -
Host URL—The URL pointing to the EJBCA CA. For example: https://ejbca01.keyother3.com. If the URL provided does not have a virtual directory (/ejbca or otherwise) the /ejbca will be provided, otherwise it will use what is supplied in the URL.
-
Configuration Tenant—A reference ID for the EJBCA CA server. For EJBCA CAs, this does not need to be the DNS domain name. The short hostname of the EJBCA CA server makes a good reference ID.
Important: EJBCA and Microsoft CAs cannot be configured with the same Configuration Tenant, so do not set this to the DNS domain name if you will also be configuring Microsoft CAs in the same DNS domain. - Enforce Unique DN
Checking this will cause Keyfactor Command, upon enrollment, to search the EJBCA CA for end entities with DNs that match the DN A distinguished name (DN) is the name that uniquely identifies an object in a directory. In the context of Keyfactor Command, this directory is generally Active Directory. A DN is made up of attribute=value pairs, separated by commas. Any of the attributes defined in the directory schema can be used to make up a DN. in the certificate request. If a matching DN is found, the process will update the existing end entity in EJBCA with the new certificate request information rather than creating a new end entity. If you enable this option in Keyfactor Command, it must also be enabled on the matching EJBCA CA. A mismatch in these settings can result in enrollment failures.
Figure 200: Enforce unique DN Setting on the EJBCA CA
The value of the Keyfactor Command Enforce Unique DN setting is verified for each certificate request:
-
If unset, enrollment proceeds as usual.
-
If set, EJBCA is searched for an end entity associated with the DN and CA in the certificate request and:
- If none is found, the enrollment proceeds as usual.
- If one or more is found, the end entity in EJBCA is updated with the information from the certificate request, so that the new certificate request is tied to the same end entity as the existing certificate (or the first one found, if multiple are found). A new password is generated and the enrollment proceeds as usual.
-
Non-Domain-Joined Standalone Microsoft CA- Logical Name—The logical name of the standalone CA. For example: CorpSARootCA1
-
Host Name—The fully qualified domain name of the server on which the standalone CA is installed. For example: saroot01.keyexample.com
-
Configuration Tenant—The DNS domain name for the standalone CA. For example: keyexample.com
Remote CA Accessed via a Keyfactor Universal Orchestrator or Windows Orchestrator- Logical Name—The logical name of the CA in the remote forest to which the orchestrator will be connecting for synchronization. For example: Corp4IssuingCA1
-
Host Name—The fully qualified domain name of the CA in the remote forest to which the orchestrator will be connecting for synchronization. For example: corp4ca01.keyother4.com
-
Configuration Tenant—The DNS domain name for the Active Directory forest in which the orchestrator is operating and in which the CA resides. For example: keyother4.com
Note: You must install and configure the Keyfactor Universal Orchestrator or Windows Orchestrator on a machine in the same forest where the CA resides, configure it with CA Support and approve the orchestrator in the Management Portal before creating the CA record.Domain-Joined Enterprise or Standalone Microsoft CA in the Forest in which Keyfactor Command is Installed- Logical Name—The logical name of the CA in the local forest. For example: CorpIssuingCA1
-
Host Name—The fully qualified domain name of the server on which the CA in the local forest is installed. For example: corpca01.keyexample.com
-
Configuration Tenant—The DNS domain name for the Active Directory forest in which the CA resides. For example: keyexample.com
Keyfactor CA Gateway- Logical Name—The logical name of the CA gateway in the local forest. For example: EntrustGateway
-
Host Name—The fully qualified domain name of the server on which the CA gateway in the local forest is installed. For example: entgtw1.keyexample.com
-
Configuration Tenant—The DNS domain name for the Active Directory forest in which the CA resides. For example: keyexample.com
Keyfactor CA Management Gateway- Logical Name—The logical name created when the gateway was configured. The logical name is unique for each CA gateway. For a gateway providing a bridge to an on-premise Microsoft CA, the name configured as the gateway logical name should match the logical name of the Microsoft CA.
-
Host Name—The fully qualified domain name of the server in the managed forest environment in which the Keyfactor CA Management Gateway The Keyfactor CA Management Gateway is made up of the Keyfactor Gateway Connector, installed in the customer forest to provide a connection to the local CA, and the Azure-hosted and Keyfactor managed Hosted Configuration Portal. The solution is used to provide a connection between a customer's on-premise CA and an Azure-hosted instance of Keyfactor Command for synchronization, enrollment, and management of certificates. is installed.
-
Configuration Tenant—The DNS domain for the Active Directory forest in the managed forest environment in which the Keyfactor CA Management Gateway is installed.
In the Scan section, choose when to schedule full and incremental scans. You can choose to run each scan Weekly, Daily or on an Interval:
- If you select Weekly, you can select one or more days of the week on which to run the scan and a time when the scan should begin.
- If you select Daily, you can set the time of day when the scan should begin.
- If you select Interval, you can select a scan frequency of anywhere from every 1 minute to every 12 hours.
-
Select Off in the dropdown to disable a scan job.
Note: For EJBCA CAs, if the certificate profile has a Validity Offset configured to a value greater than the value configured in the CA Sync Backward Offset Minutes application setting (15 minutes by default), certificates requested outside of Keyfactor Command will not be picked up on incremental scans. These certificates will only appear in Keyfactor Command on a full synchronization. The CA Sync Backward Offset Minutes application setting should be set to the same number of minutes as the Validity Offset value, if Validity Offset is configured.Figure 201: EJBCA Certificate Profile Validity Offset Greater than 15 Minutes
Note: For EJBCA CAs, if the certificate profile has Allow Backdated Revocation configured and a revocation is completed outside of Keyfactor Command with a backdate of greater than 10 minutes, the revocation will not be picked up on incremental scans. These revocations will only appear in Keyfactor Command on a full synchronization.Figure 202: EJBCA Certificate Profile Backdated Revocation
For Microsoft CAs, if desired check the Sync External Certificates box to allow foreign certificates that have been imported into a Microsoft CA to be synchronized to Keyfactor Command along with the certificates issued by the Microsoft CA. This option does not appear for HTTPS CAs.
In the Enrollment section, check the Enable PFX Enrollment and/or Enable CSR Enrollment box to enable enrollment for the CA through Keyfactor Command.
Note: In order to perform enrollment through Keyfactor Command, the account making the request to the CA must be granted appropriate enroll permissions on the CA itself. Which account this is depends on the authorization configuration (see Authorization Methods Tab):- If Use Explicit Credentials is set to true (box checked), enrollment is done in the context of that explicit user and that user needs permission.
- If Use Explicit Credentials is set to false (box not checked), enrollment is done in the context of the user authenticated to Keyfactor Command using Kerberos or Basic authentication.
Enrollment is not supported using NTLM authentication.
If desired, check the Require Subscriber Terms box to add a checkbox on the enrollment pages to force users to agree to a custom set of terms before enrolling. Configure a link to the custom terms using the URL to Subscriber Terms application setting (see Application Settings: Enrollment Tab).
Tip: To fully configure enrollment for the CA, you will also need to configure access on the Authorization Methods tab (see Authorization Methods Tab) and configure templates (see Certificate Template Operations).Figure 203: Certificate Authority Basic Tab for a Microsoft CA
Figure 204: Certificate Authority Basic Tab for an EJBCA CA
Advanced TabIn the Details section, if you've opted to use the Keyfactor Universal Orchestrator or Windows Orchestrator to communicate with a remote CA, check the Use Orchestrator box and choose the appropriate orchestrator from the dropdown.
Note: The Orchestrator dropdown is only active if the Use Orchestrator box is checked. If Use Orchestrator is checked, the Orchestrator dropdown will populate with any orchestrators approved in Keyfactor Command with the CA capability. The Keyfactor Universal Orchestrator or Windows Orchestrator must be installed on a machine in the forest where the remote CA resides, installed and configured as per Universal Orchestrator in the Keyfactor Orchestrators Installation and Configuration Guide. In addition, in the Management Portal, the Keyfactor Universal Orchestrator or Windows Orchestrator must be configured as per Orchestrator Management.In the Monitoring section, check the Enable Monitoring box to turn on email alerting when certificate issuance or failures (including denials) since the last threshold alert was sent falls outside the configured limits. You can choose to schedule the alerts either for daily delivery at a specified time or at intervals of anywhere from every 1 minute to every 12 hours. Daily is the most common configuration. Set the thresholds for:
- Issuance Greater Than—You will receive an alert if more certificates are issued by this CA in the time period between executions of the alert than the number you set here. The value set here must be greater than, or equal to, the value set for Issuance Less Than.
- Issuance Less Than—You will receive an alert if fewer certificates are issued by this CA in the time period between executions of the alert than the number you set here. The minimum allowed value for Issuance Less Than is 1.
- Failures Greater Than—You will receive an alert if more certificate requests fail or are denied by this CA in the time period between executions of the alert than the number you set here. Zero is a valid setting (meaning you will receive an alert for a single failure).
Note: EJBCA CAs do not return failure counts using the API, so failures cannot be reported on with threshold monitoring for EJBCA CAs.
In addition to configuring the thresholds for each CA, you must also configure the email recipients on the Alert Recipients tab (see Certificate Authority Monitoring) of the Certificate Authorities page. Monitoring is not supported for CAs accessed with the Keyfactor Universal Orchestrator or Windows Orchestrator.
Figure 205: Certificate Authority Advanced Tab for Microsoft CA
Authorization Methods TabOn the Authorization Methods tab, you configure how access for management tasks and enrollment occurs for the CA.
Tip: Keyfactor recommends the following configuration for most CAs to support access control within Keyfactor Command:- Use Explicit Credentials: True or false as required by the environment
- Delegate Management Operations: False (box unchecked)
- Delegate Enrollment: False (box unchecked)
- Restrict Allowed Requesters: Set to the Keyfactor security roles allowed to perform certificate enrollment for this CA. If you're using workflow A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. (see Workflow Definitions), the users who hold these roles are the ones who are able to initiate workflows. This is entirely separate from the roles configured within workflows, which control the users who are able to approve workflows.
Note: If Use Explicit Credentials, Delegate Management Operations and Delegate Enrollment are all set to false (box unchecked), requests to the CA are made in the context of the Keyfactor Command application pool user. For more information, see Grant the Keyfactor Command Users and Service Account(s) Permissions on the CAs in the Keyfactor Command Server Installation Guide.Use Explicit Credentials (Microsoft CAs)The Use Explicit Credentials option allows you to configure specific credentials that will be used to make requests to the CA for management tasks and enrollment. This is generally used for Microsoft CAs where Windows integrated authentication is not supported. Integrated authentication is generally supported for Microsoft CAs, Keyfactor CA gateways, or Keyfactor CA management gateways on servers joined to the local Active Directory forest in which Keyfactor Command is installed and any Active Directory forests in a two-way trust with this forest.
To configure this option, check the Use Explicit Credentials box and enter a username in the format DOMAIN\username for a service account user in the forest in which the CA resides or, for non-domain-joined machines, a local machine account on the machine on which the CA is installed. Click the Set Explicit Password button and in the Set Explicit Password dialog, choose from No Value, Load from Keyfactor Secrets or Load From PAM Provider.
This service account user needs appropriate permissions in the CA security settings to accomplish the tasks you plan to carry out for this CA through the Management Portal. For example:
- Certificate enrollment
- Certificate revocation
- Certificate key recovery
- Certificate request approval and denial
These tasks will be carried out on the CA in the context of the credentials you provide here. Access control for these tasks is controlled with Keyfactor Command security (see Security Roles and Identities) and the Restrict Allowed Requesters option, below.
Note: When this option is configured, enrollment and other tasks (e.g. revocation) are done in the context of the user configured here, not the user making the request in Keyfactor Command. This overrides the existing AD security policy used by Keyfactor Command.Note: Once you have established explicit credentials to a forest for a CA, the forest will be included in the forest dropdown on the Import Templates dialog (see Certificate Templates).Tip: The Use Explicit Credentials option is not needed if you are accessing your CA using a Keyfactor Universal Orchestrator or Keyfactor Windows Orchestrator. Enrollment is not supported when accessing a CA using an orchestrator, so the Restrict Allowed Requesters option is not relevant for this type of CA configuration.The Use Explicit Credentials option is not used for EJBCA CAs.
Delegate Management Operations & Delegated Enrollment (Microsoft CAs & CA Gateways)The Delegate Management Operations and Delegate Enrollment boxes are used for CAs that support integrated authentication to allow interactions with the CAs via Keyfactor Command to be done in the context of the user authenticated to Keyfactor Command using Kerberos authentication. Integrated authentication is generally supported for Microsoft CAs, Keyfactor CA gateways, or Keyfactor CA management gateways on servers joined to the local Active Directory forest in which Keyfactor Command is installed and any Active Directory forests in a two-way trust with this forest. If delegation is enabled, when a user authenticates with Kerberos to Keyfactor Command, the Keyfactor Command server can delegate the user's credentials to the CA to provide end-to-end authentication without unpacking the credentials at the Keyfactor Command layer.
These options also apply to users who authenticate to Keyfactor Command using Basic authentication, since Keyfactor Command performs pseudo delegation for these users. These options are not supported for users who authenticate using NTLM authentication.
If you choose to disable one or both of the delegation options and have not enabled the Use Explicit Credentials option, interaction with the CA for the type of activity that is not delegated (e.g. management operations) is done in the context of the service account under which the Keyfactor Command application pool is running. For more information, see Grant the Keyfactor Command Users and Service Account(s) Permissions on the CAs in the Keyfactor Command Server Installation Guide.
Note: Use of explicit credentials is mutually exclusive of delegation.Important: If you configure CA delegation and are using Kerberos authentication, you must also configure Kerberos constrained delegation for the CAs as per Configure Kerberos Constrained Delegation (Optional) in the Keyfactor Command Server Installation Guide.The types of interactions affected by these settings include:
- Approval of pending certificate requests (Delegate Management Operations)
- Denial of pending certificate requests (Delegate Management Operations)
- Revocation of certificates (Delegate Management Operations)
- Certificate key recovery (Delegate Management Operations)
- Certificate enrollment (Delegate Enrollment)
Note: If a workflow (see Workflow Definitions) is configured with a step that will result in a suspended state (e.g. pausing to wait for approvals) and the CA for the request is configured for delegation, the enrollment or revocation request made via the workflow will fail with an error indicating that the failure occurred because CA delegation is enabled. Workflows are not supported with CA delegation in the case where a suspended state may occur because it's possible that the initiating user's context may not be available all the way to the conclusion of the workflow.When using workflow with steps that will result in a suspended state, do not use CA delegation. Instead, use the Keyfactor Command access control model provided by the Restrict Allowed Requesters option for enrollment (see Restrict Allowed Requesters (Microsoft and EJBCA CAs)) and the Revoke permission for certificates at both the global and collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). levels (see Certificate Permissions).
If you choose to enable delegation, be aware that each user performing one of these delegable operations through the Management Portal must have the appropriate permissions to accomplish this task configured in the CA security settings.
Warning: Granting users permissions in the CA security settings for certificate revocation, certificate key recovery, or certificate request approval and denial—e.g. the Issue and Manage Certificates permission—in order to support delegation of these operations through the Management Portal also grants these permissions to the users when operating outside the Keyfactor Command Management Portal. Any risk associated with this can be mitigated by implementing the Keyfactor Whitelist Policy Handler on each CA where such permissions are granted (see Installing the Keyfactor CA Policy Module Handlers in the Keyfactor Command Server Installation Guide).The Delegate Management Operations and Delegate Enrollment options are not used for EJBCA CAs.
Restrict Allowed Requesters (Microsoft and EJBCA CAs)The Restrict Allowed Requesters option is used to select Keyfactor Command security roles that a user must belong to in order to successfully enroll for certificates in Keyfactor Command via this CA. (NOTE: With this option checked, you must include at least one role in the Allowed Requester Security Roles table for enrollment to work). This option is supported for all CAs, but it must be used for Microsoft CAs where integrated authentication is not supported and EJBCA CAs. Integrated authentication is generally supported for Microsoft CAs, Keyfactor CA gateways, or Keyfactor CA management gateways on servers joined to the local Active Directory forest in which Keyfactor Command is installed and any Active Directory forests in a two-way trust with this forest. Since Keyfactor Command cannot make use of the access control model of the CA itself to determine which users can enroll for certificates at either a template or CA level without using integrated authentication, this setting replaces that functionality. This setting is similar to setting request certificates for the selected security roles at the CA level on a Microsoft CA.
The Restrict Allowed Requesters check box must be checked—and the Allowed Requester Security Roles populated—if the Use Explicit Credentials box is checked for a Microsoft CA that isn't accessed using integrated authentication.
Tip: For Microsoft CAs in a two-way trust environment you don't necessarily need to enable Restrict Allowed Requesters on the CA, though this may be required in some circumstances depending on the security configuration in the environment. However, templates for a two-way trust environment always require configuration of this option at a template level to support enrollment (see Certificate Template Operations).In addition to granting permissions at the CA level using this option, you need enable the Restrict Allowed Requesters option to grant permissions on a template-by-template basis (see Certificate Templates).
Note: Access control for other types of interactions with the CA (e.g. revocation) is managed with standard security roles (e.g. the certificate revoke permission) at both the global and certificate collection level.Authentication Certificate (EJBCA CAs)Click the Select Authentication Certificate button to upload a client certificate in PKCS#12 A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. format used to provide authentication to the EJBCA CA. This certificate is used to authenticate to the EJBCA database for synchronization, enrollment and management of certificates.
Note: Once you have established a connection to the EJBCA CA, it will be included in the forest dropdown on the Import Templates dialog (see Certificate Templates).Figure 206: Certificate Authority Authentication Methods Tab for a Microsoft CA
Figure 207: Certificate Authority Authentication Methods Tab for an EJBCA CA
Standalone Tab (Microsoft CAs)To configure a standalone Microsoft CA, check the Standalone box.
Check the Enforce RFC 2818 Compliance box to require that certificate enrollments made through the Keyfactor Command Management Portal for this CA include at least one DNS SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.. This causes the CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). entered in PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment to automatically be replicated as a SAN, which the user can either change or accept. For CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate if this is set.
If you have configured the CA for PFX enrollment on the Basic tab, the Key Retention field dropdown will display. Select a retention type. Enter the number of days, weeks, months, or years to keep the encrypted private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. stored in the Keyfactor Command database based on the type selected, then select the desired time frame (Day(s), Week(s), Month(s), or Year(s)). You will not have the option to choose a retention timeframe if you choose Indefinite.
Figure 208: Certificate Authority Standalone Tab
- Click Test and Save to add or update the CA, or click Test Connection to test the CA prior to saving (see Test a CA Connection).
Once a CA record has been created for your CA, go to certificate templates (see Certificate Templates) and import templates for the CA. Template import is supported for both Microsoft and EJBCA CAs. Template import is not supported for the following:
-
Non-domain-joined standalone Microsoft CAs (these don't use templates)
-
CAs accessed via the Keyfactor Universal Orchestrator or Windows Orchestrator
To delete a CA record:
- In the Management Portal, browse to Locations > Certificate Authorities.
- On the Certificate Authorities grid, highlight the row in the CA grid and click Delete at the top of the grid or right-click the CA and choose Delete from the right-click menu.
- On the Confirm Operation alert, click OK to confirm or Cancel to cancel the operation.
A CA cannot be deleted if:
- It has scanning tasks enabled.
- It has certificates associated with it in the Keyfactor Command database.
- It is the last CA for its Configuration Tenant and there are certificate templates (see Certificate Templates) for that Configuration Tenant in Keyfactor Command.