Add Certificate

The add certificate tool supports importing certificates with the following formats and extensions:

• PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key.: .cer or.crt

  If your PEM file has an extension of .pem, rename it to .cer or .crt before using the Add Certificate tool.

• PKCS#12 A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers.: .pfx or .p12

• PKCS#7: .p7b

This tool has several purposes, including:

• It can be used to import certificates generated outside the enterprise PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. environment—such as those purchased from a commercial certificate vendor or generated by a non-Microsoft or non-EJBCA CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA..
• It can be used to import certificates that would not be automatically imported during a synchronization of configured Microsoft or EJBCA CAs such as root CA certificates or certificates with unusual key types (e.g. Dilithium) that aren’t supported by synchronization.
• It can be used to import certificates acquired using CSRs generated by Keyfactor Command and issued by a CA not managed using Keyfactor Command to allow for ongoing management with Keyfactor Command.

• It can be used to push a certificate with the associated private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. out to a certificate store when you have the appropriate .pfx or .p12 file available.

• It can be used as a quick shortcut to push a certificate without a private key out to a certificate store when you have the certificate file in hand and don’t want to search for the certificate in Keyfactor Command in order to push it out to the certificate store.

  Before you can add a certificate to a certificate store with this option, you must first add the certificate store in Keyfactor Command (see Certificate Stores) and install, start, and approve the orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. (see Orchestrator Management and the Installing Orchestrators guide.

If you import a certificate that has either already been imported via a synchronization task or has been manually imported previously, the certificate will not be re-imported. You will receive a notification message, when you save it, if the certificate already exists in the Keyfactor Command database. Any metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. currently stored in the database for that certificate will be displayed in the metadata fields on the page (for .cer and .crt format certificates), and any changes you make to the metadata on this page will overwrite the existing metadata for the certificate when you complete the import (for all certificate formats).

To use the add certificate tool

1. In the Management Portal, browse to Certificates > Add Certificate.
2. In the Add Certificate section of the page, click the Upload button to open a browse window.
3. In the browse window, browse to select the certificate you wish to import.

4. For a .pfx or .p12 file, when prompted enter the password for the file and Save. This will open the Add Certificate page, which will allow you to change/add metadata and choose certificate locations to deploy the certificate to. Set PFX Password allows you to reenter the password once you have uploaded the certificate.

   

   Figure 48: Add Certificate Password for PFX/p12

5. In the Certificate/PFX Details section of the page, review the certificate information.

   

   Figure 49: Add Certificate Information

6. In the Metadata section of the page, populate the metadata fields as appropriate for the certificate. Metadata fields that have been designated as required on a system-wide or template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.-level basis will be marked with *Required.

   

   Figure 50: Add Certificate Metadata

7. In the Install into Certificate Locations section of the page, select each certificate store location to which you want to distribute the certificate, if desired. To do this, click the Include Certificate Stores button. This will cause the Select Certificate Store Locations dialog to appear. Make your certificate store selections in this dialog as described in Select Certificate Store Locations, below, and click Include and Close. You will then see some additional fields on the page. Populate these as per Add to Certificate Stores and Information Required for Certificate Stores, below.

   Select Certificate Store Locations

   The Select Certificate Store Locations dialog allows you to run queries against your certificate store list to select which store(s) to deploy a selected certificate to. Check the box next to each certificate store location to which you want to distribute the certificate.

   Note:   Only compatible certificate stores and only stores in containers to which you have permissions are shown on the grid.

   Tip:  You may change the search results by using the search fields at the top of the dialog. All of the Keyfactor Command grid search features are available to assist your search. See Using the Certificate Store Search Feature for more information on the available search fields. The default search criteria is AgentAvailable is equal to True.

   The actions on the Select Certificate Store Locations dialog are:

   • Include

     Click this to add the selected certificate store(s) to your certificate selection and leave the search dialog open for further searches.

   • Include and Close

     Click this to close the search dialog and add the selected certificate store(s) to your certificate selection, which will then be displayed and ready for updates as per the instructions in Add to Certificate Stores.

   • Close

     Click this to cancel the operation and return to the main page with no certificate stores selected.

   

   Figure 51: Select Certificate Store Locations Dialog

   Add to Certificate Stores

   The Add to Certificate Stores page appears once you select at least one certificate store to distribute your certificate to. It includes a grid section with a series of tabs that display a tab for each type of certificate store selected with a list of the selected stores under each tab. The header section of the dialog shows global options that apply to the add job as a whole:

   • Include Certificate Stores

     You may return to the Select Certificate Store Locations dialog by clicking Include Certificate Stores above the grid. The current selections will be retained.

   • Schedule when to run the job for the certificate store

     In the Schedule dropdown, select a time at which the job to add the certificate to the stores should run. The choices are Immediate or Exactly Once at a specified date and time. If you choose Exactly Once, enter the date and time for the job. A job scheduled for Immediate running will run within a few minutes of saving the operation. The default is Immediate.

   Click Remove at the top of the grid to remove the selected certificate store from the page. The certificate will not be added to the store.

   For each selected certificate store you can apply the following actions:

   • Overwrite

     Check Overwrite below the grid to overwrite any existing certificate in the same location and with the same name or alias for the selected certificate store type.

   • Alias

     Add an Alias below the grid, if applicable, for the certificate store type. See the Information Required by Certificate Store section, below, for more information.

     Note:   The tab heading of the certificate location will display an alert if an alias is required for the location. If this is set to Forbidden on the certificate store type, the Alias field will not display unless "Overwrite" is checked on this page.

   

   Figure 52: Add Certificate—Install into Certificate Locations

   

   Figure 53: Alias Required Alert on Save

   Information Required by Certificate Stores

   Each type of certificate store has different requirements for providing an alias or other additional information. Table 6: Alias Requirements by Certificate Store Type provides a quick breakdown by certificate store of whether a certificate alias is required for new certificate additions or only for overwriting an existing certificate in the store.

   Tip:  When adding a certificate to a certificate store, you have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite. Find the alias values by navigating to Management Portal > Certificates > Certificate Search. Select the certificate you wish to overwrite and double-click, or click Edit, from the grid header or right-click menu. Choose the Locations tab and double-click on the Location Type (this must have a number other than zero in the Count column) to open the details dialog. The Alias field holds the information that may be required for an overwrite.

   

   Figure 54: Example: Certificate Location Details for a JKS Location

   Table 6: Alias Requirements by Certificate Store Type

   Certificate Store Type	Alias Functionality
   Amazon Web Services	Alias only required for overwrites
   F5 CA Bundles REST	Alias required for new additions and overwrites
   F5 SSL Profiles	Alias required for new additions and overwrites
   F5 SSL Profiles REST	Alias required for new additions and overwrites
   F5 Web Server	Alias only required for overwrites
   F5 Web Server REST	Alias only required for overwrites
   File Transfer Protocol	Alias required for new additions and overwrites
   IIS Personal	Alias only required for overwrites
   IIS Revoked	Alias not needed
   IIS Trusted Roots	Alias not needed
   Java Keystore	Alias required for new additions and overwrites
   NetScaler	Alias required for new additions and overwrites
   PEM File	Alias only required for overwrites

   Amazon Web Services (AWS)

   Amazon Web Services (AWS) certificate stores require the addition of a private key and will only appear as an option when you select a certificate with a private key. With this type of store, you have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite. The alias is the internal ID assigned by Amazon (the Amazon resource number or ARN). Provide the entire contents of the Alias/IP from this field when entering an alias for overwrite. For example:

   arn:aws:acm:us-west-2:220531701668:certificate/88e5dcfb-a70b-4636-a8ab-e85e8ad88780

   F5 CA Bundles REST

   F5 CA Bundle REST certificate store additions do not require the addition of a private key and will appear for both certificates with a private key and those without. With this type of store, you will be prompted to add an alias for the certificate. The alias is the file name used to store the file in the device file system, minus the extension (e.g. use alias MyFile for a file named MyFile.crt). Aliases should be entered without spaces. Note that certificate names are case sensitive. You have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite.

   F5 SSL Profile

   F5 SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. Profile certificate store additions do not require the addition of a private key and will appear for both certificates with a private key and those without. With this type of store, you will be prompted to add an alias for the certificate. The alias is the file name used to store the file in the device file system, minus the extension (e.g. use alias MyFile for a file named MyFile.pfx). Aliases should be entered without spaces. Note that certificate names are case sensitive. You have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite.

   F5 SSL Profile REST

   F5 SSL Profile REST certificate store additions do not require the addition of a private key and will appear for both certificates with a private key and those without. With this type of store, you will be prompted to add an alias for the certificate. The alias is the file name used to store the file in the device file system, minus the extension (e.g. use alias MyFile for a file named MyFile.pfx). Aliases should be entered without spaces. Note that certificate names are case sensitive. You have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite.

   F5 Web Server

   F5 Web Server certificate stores require the addition of a private key and will only appear as an option when you select a certificate with a private key. With this type of store, you have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite. The alias for F5 device certificates is typically server.

   F5 Web Server REST

   F5 Web Server REST certificate stores require the addition of a private key and will only appear as an option when you select a certificate with a private key. With this type of store, you have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite. The alias for F5 device certificates is typically server.

   File Transfer Protocol (FTP)

   File Transfer Protocol (FTP) certificate store additions do not require the addition of a private key and will appear for both certificates with a private key and those without. With this type of store, you have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite. In that case the new thumbprint should be passed in as the alias without any spaces between the octets (e.g. 81009c6e5465ecf343ba55ff9612122a5a4f6b33 not 81 00 9c 6e 54 65 ec f3 43 ba 55 ff 96 12 12 2a 5a 4f 6b 33).

   IIS Personal

   IIS Personal certificate stores require the addition of a private key and will only appear as an option when you select a certificate with a private key. With this type of store, you have the option to overwrite an existing certificate bound to an IIS web site with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite. The alias is the thumbprint of the certificate bound to the IIS web site on the target. The thumbprint may be entered with or without spaces between each octet (e.g. 81 00 9c 6e 54 65 ec f3 43 ba 55 ff 96 12 12 2a 5a 4f 6b 33 or 81009c6e5465ecf343ba55ff9612122a5a4f6b33).

   Tip:  Choosing overwrite for a certificate not bound to an IIS web site will have no effect. No certificate will be overwritten.

   IIS Revoked and Trusted Root

   IIS Revoked and Trusted Root certificate store additions do not require the addition of a private key and will appear for both certificates with a private key and those without.

   Tip:  The overwrite functionality is not relevant for IIS Revoked and Trusted Root certificate stores and should be ignored.

   Java Keystore

   Java keystore certificate store additions do not require the addition of a private key and will appear for both certificates with a private key and those without. With this type of store, you will be prompted to add an alias for the certificate. This optional alias is stored in the keystore associated with the certificate. You have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite. Spaces are supported in the alias.

   NetScaler

   NetScaler certificate store additions do not require the addition of a private key and will appear for both certificates with a private key and those without. With this type of store, you will must add an Alias for the certificate. This serves as the file name used to store the file in the file system, so provide it with an appropriate extension (e.g. appserver17.crt or appserver17.pfx). Aliases should be entered without spaces. You must also enter the virtual server to associate the certificate with in the NetscalerVserver field. For a certificate with a private key, you are associating the certificate as a NetScaler Server Certificate. For a certificate without a private key, you are associating the certificate as a NetScaler CA Certificate and only CA certificates are supported for this purpose. You will receive an error if you attempt to associate a non-CA certificate without a private key with a virtual server. Entry of virtual server name is not case sensitive. You have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias (full file name with extension) of the certificate you wish to overwrite.

   PEM File

   PEM certificate store additions do not require the addition of a private key and will appear for both certificates with a private key and those without. When you check the box for a PEM store, a new PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. Password section will appear on the page. The password you enter here is used to encrypt the private key of the certificate when stored in the PEM file or separate password file. If you choose to uncheck the Use Custom Password box, the private key will be encrypted with a random password which is not accessible to you. For most use cases, you will need a known password for this purpose, so leave the Use Custom Password box checked and make note of the password you use for this purpose. With this type of store, you have the option to overwrite an existing certificate with the current certificate. If you choose this option, you will need to provide the alias of the certificate you wish to overwrite. The alias is the thumbprint of the certificate without any spaces between the octets (e.g. 81009c6e5465ecf343ba55ff9612122a5a4f6b33 not 81 00 9c 6e 54 65 ec f3 43 ba 55 ff 96 12 12 2a 5a 4f 6b 33).

   Note:  Keyfactor Command will automatically strip out any spaces between the octets in the alias field, so it does not matter whether you enter the thumbprint with or without spaces.
8. Click Save to import the certificate to Keyfactor Command

Tip:  Click the help icon () next to the Add Certificate page title to open the embedded web copy of the Keyfactor Command Documentation Suite to this section.

You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.