Grant the Keyfactor Command Users and Service Account(s) Permissions on the CAs

In order for Keyfactor Command to be able to synchronize certificates from the CAs to the Keyfactor Command database, the service account under which Keyfactor Command makes a connection to the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. must have permissions to read the CA databases. For full Keyfactor Command functionality, additional permissions are needed. The permissions needed vary depending on the type of CA and the type of authorization you intend to configure to allow Keyfactor Command and users in Keyfactor Command to interact with the CA.

Microsoft CAs

When you configure Keyfactor Command access to a Microsoft CA, you have the option to enable the Use Explicit Credentials option. When this option is enabled, you enter a set of credentials that will be used specifically to access that Microsoft CA, and all management and enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). tasks for that CA are done in the context of that service account. If you do not enable the Use Explicit Credentials option, management tasks (e.g. revocation, certificate synchronization) and enrollments are done in the context of the service account(s) you configure for the Keyfactor Command Service and the application pool for Keyfactor Command (which are the same service account in many implementations) and individual users. The exact combination of what happens in the context of who depends on the configuration of the delegation options (Delegate management Operations and Delegate Enrollment) on the CA when the Use Explicit Credentials option is not enabled. Delegation is supported for both Basic authentication and Kerberos authentication (see Configure Kerberos Constrained Delegation (Optional)). Use of explicit credentials is mutually exclusive of delegation.

The users and service account(s) you will be using to connect to your Microsoft CA(s) from Keyfactor Command need some set of the following permissions on the CA, based on the configuration of authorization for the CA:

Table 769: Microsoft CA Permission Matrix provides information on what permissions are required based on possible authorization configurations.

Table 769: Microsoft CA Permission Matrix

  Use Explicit Credentials

Use Explicit Credentials

Delegate Management

Delegate Enrollment

Use Explicit Credentials

Delegate Management

Delegate Enrollment

Use Explicit Credentials

Delegate Management

Delegate Enrollment

Use Explicit Credentials

Delegate Management

Delegate Enrollment

Explicit CA-Specific User

Read

Issue & Manage Certificates

Manage CA

Request Certificates

n/a n/a n/a n/a
Keyfactor Command Service Account None

Read

Request Certificates1

Read

Request Certificates2

Read

Request Certificates3

Read

Request Certificates4

Keyfactor Command Application Pool Account None

Read

Issue & Manage Certificates

Manage CA

Request Certificates5

Read

Issue & Manage Certificates

Manage CA

Request Certificates6

Read

Manage CA

Request Certificates

Read

Issue & Manage Certificates

Manage CA

Request Certificates

Individual Users None

Read

Issue & Manage Certificates

Request Certificates

Read

Request Certificates

Read

Issue & Manage Certificates

None

In the management console for each CA that Keyfactor Command will be interacting with, open the properties for the CA and grant the users and service account(s) for Keyfactor Command the appropriate permissions for your environment before continuing.

EJBCA CAs

Management (e.g. revocation, certificate synchronization) and enrollment requests to an EJBCA CA are made in the context of the end entity associated with the client certificate selected in each CA configuration in the Keyfactor Command Management Portal to provide authentication to the EJBCA CA (see Acquire a Client Certificate for EJBCA CA Authentication). The access rule created or used for this needs to grant sufficient permissions to allow the end entity to synchronize certificates. For full functionality, it needs the following permissions:

Figure 488: EJBCA Access Permissions

You may either create a new access rule that limits access to just these required permissions, or use an existing access rule. In either case, you need to add the certificate used to authenticate Keyfactor Command to the EJBCA CA as a member of that access rule.

Figure 489: Add Client Certificate as Member of EJBCA Access Rule