Enrollment

The enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). function in the Keyfactor Command Management Portal allows PKIClosed A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. administrators to request certificates by either submitting a certificate signing requestClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. (see CSR Enrollment) or by directly entering request information to receive a certificate delivered as a PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. file (see PFX Enrollment). The certificate file is available for immediate download via the browser or installation into a certificate store providing that the enrollment succeeds and the templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. used does not require manager approval. An option is also provided to generate a certificate signing request within Keyfactor Command. When you do this, the private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. generated as part of the CSR generation process is stored—encrypted—in the Keyfactor Command database (see CSR Generation).

Note:  As of Keyfactor Command version 10, enrollment (PFX and CSR), renewal, and revocation requests all flow through Keyfactor Command workflowClosed A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked.. This will result in no changes to the enrollment, renewal, and revocation user experience unless customizations have been added in workflow (see Workflow Definitions).

See Application Settings: Enrollment Tab for configuration settings that apply to the enrollment functions in the Keyfactor Command Management Portal. Some enrollment functions are also affected by template settings. See Configuring System-Wide Settings and Configuring Template Options for more information.

Note:   The app pool service account must be set with permissions on the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. itself, in order to enroll via the CA in Keyfactor Command.
Important:  Direct enrollment (without use of a Keyfactor CA gateway) is only supported for CAs in the forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. in which Keyfactor Command is installed and any forests in a two-way trust with this forest. To do a cross-forest enrollment (with a forest in a two-way trust with the Keyfactor Command forest), Keyfactor Command requires that the root and intermediate CA certificates from the trusted forest are installed in the trusted root/intermediate stores in the Keyfactor Command server.