Certificate Authorities
Your Microsoft and EJBCA certificate authorities (CAs) are defined in the Management Portal to support synchronization to the Keyfactor Command database and support enrollment
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. Microsoft CAs in the local forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. in which Keyfactor Command is installed or in a forest in a two-way trust with this forest may be imported from Active Directory or manually configured. Other Microsoft CAs and EJBCA CAs need to be manually configured. During initial provisioning, any domain-joined Microsoft CAs in the primary Active Directory forest will be imported automatically by the Keyfactor Command configuration wizard.
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. must be granted appropriate permission to the CA database as per Grant the Keyfactor Command Users and Service Account(s) Permissions on the CAs in the Keyfactor Command Server Installation Guide.CAs that need to be configured manually include:
- Domain-joined enterprise or standalone Microsoft CA in a forest with a one-way trust (either direction) with the forest in which Keyfactor Command is installed
- Domain-joined enterprise or standalone Microsoft CA in a forest that has no trust with the forest in which Keyfactor Command is installed
- EJBCA CA
- Non-domain-joined standalone Microsoft CA
-
Keyfactor CA gateway in the forest in which Keyfactor Command is installed
The CA gateways are used to access cloud certificate providers (e.g. the Entrust CA Gateway) or to support Microsoft CAs in remote or cloud environments (e.g. the Cross-Forest Gateway).
Note: Keyfactor CA gateways are not supported in any configuration other than in the same forest in which Keyfactor Command is installed. - On-premise Microsoft CA accessed via the Keyfactor CA Management Gateway The Keyfactor CA Management Gateway is made up of the Keyfactor Gateway Connector, installed in the customer forest to provide a connection to the local CA, and the Azure-hosted and Keyfactor managed Hosted Configuration Portal. The solution is used to provide a connection between a customer's on-premise CA and an Azure-hosted instance of Keyfactor Command for synchronization, enrollment, and management of certificates. using a managed instance of Keyfactor Command
- On-premise EJBCA CA accessed via the Keyfactor CA Management Gateway using a managed instance of Keyfactor Command
-
Microsoft CA accessed via the Keyfactor Universal Orchestrator
The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux. or Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location.Note: You must install and configure the Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. or Windows Orchestrator on a machine in the same forest where the Microsoft CA resides and configure it with CA Support and approve the orchestrator in the Management Portal before creating the CA record.
The majority of CA-related functions within Keyfactor Command are supported by both EJBCA and Microsoft CAs. Table 16: CA Function Matrix includes a list of CA-related functions and the support provided by EJBCA and Microsoft CAs.
|
EJBCA CA |
Microsoft CA |
|
|---|---|---|
| CA Synchronization |
|
|
| Template1 Import |
|
|
| CA Threshold Monitoring (Issuance) |
|
|
| CA Threshold Monitoring (Failures) |
|
|
| CA Health Monitoring |
|
|
| Certificate Enrollment (PFX) |
|
|
| Certificate Enrollment (CSR) |
|
|
| Certificate Revocation |
|
|
| CRL Publishing Following Certificate Revocation |
|
|
| Keyfactor Command Private Key Retention and Key Recovery |
|
|
| CA-Level Key Archiving (* no longer supported as of Keyfactor Command v10) | ||
| CA-Level Key Recovery |
|
|
| Approvals in Workflow Builder |
|
|
| CA-Level Approvals with Pending, Issued and Denied Alerts |
|
|
| Supports use of Restrict Allowed Requesters for access control |
|
|
| Requires use of Restrict Allowed Requesters for access control |
|
|
| Requests to the CA can be done in the context of the user initiating the request |
|
|
| Requests to the CA can be done in the context of a single service account2 |
|
|
| Supports use of Universal Orchestrator to access remote CA |
|
) next to the You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.
