Appendix - Set up the Universal Orchestrator to Use Client Certificate Authentication with Certificates Stored in Active Directory

The Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux. can be configured to support client certificate authentication by acquiring a certificate for the Keyfactor Command connect service account user or machine account of the orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. and storing it in Active Directory and then providing the associated Active Directory credentials to authenticate to Keyfactor Command. This has an advantage over the reverse proxy method (see Appendix - Set up the Universal Orchestrator to Use Client Certificate Authentication via a Reverse Proxy: Citrix ADC) in that a username and password do not need to be stored anywhere (other than in Active Directory). This method does have a heavier reliance on Active Directory.

Complete the following steps and then configure the orchestrator to enable client certificate authentication as per the installation instructions (see -ClientCertificate or Install the Universal Orchestrator on Linux).

Tip:  Using this method, you do not necessarily need to configure certificate authentication in Keyfactor Command, unlike for the proxy method (see Appendix - Set up the Universal Orchestrator to Use Client Certificate Authentication via a Reverse Proxy: Citrix ADC), since the certificate authentication is occurring at the IIS layer before the request reaches Keyfactor Command. You may wish to configure certificate authentication in Keyfactor Command to allow Keyfactor Command to monitor certificate authentication and to support automated certificate renewal (see Register a Client Certificate Renewal Extension). If you enable certificate authentication in Keyfactor Command with this method, you will need to provide a value in the Certificate Authentication HTTP Header field. This header field is used to pass the certificate contents to Keyfactor Command command in instances when the certificate is not used directly (such as in the reverse proxy scenario). The value is required when configuring certificate authentication in Keyfactor Command, but since for this method you do not need to extract the certificate from the header, the value you set here is unimportant.
Important:  If you do opt to enable certificate authentication in Keyfactor Command, be aware that this will force all orchestrators to use certificate authentication when communicating with Keyfactor Command on the configured server.

Figure 565: Client Certificate Authentication with AD Storage Does Not Require Certificate Authentication Configuration in Keyfactor Command

Note:  The following instructions assume that your Keyfactor Command server is already installed and configured with an SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificate that is trusted in your environment. If this is not the case, this will also need to be done.
Tip:  If you receive the following error when selecting your certificate in the orchestrator configuration wizard:
The request was aborted: Could not create SSL/TLS secure channel.
  • Confirm that the orchestrator server trusts the root and issuing certificates for the SSL certificate on the Keyfactor Command server and the client authentication certificate you are trying to use (see Configure Certificate Root Trust for the Universal Orchestrator).

  • Confirm that the orchestrator server has access to the CRLs for both the SSL certificate on the Keyfactor Command server and the client authentication certificate you are trying to use and that these CRLs are valid.

  • Confirm that you have granted the service account under which the orchestrator service runs private key permissions on the client authentication certificate.