Certificate Authorities

Your Microsoft and EJBCA certificate authorities (CAs) are defined in the Management Portal to support synchronization to the Keyfactor Command database and support enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. Microsoft CAs in the local forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. in which Keyfactor Command is installed or in a forest in a two-way trust with this forest may be imported from Active Directory or manually configured. Other Microsoft CAs and EJBCA CAs need to be manually configured. During initial provisioning, any domain-joined Microsoft CAs in the primary Active Directory forest will be imported automatically by the Keyfactor Command configuration wizard.

Important:  In order for CAs to successfully synchronize to the Keyfactor Command database and perform other functions (e.g. enrollment), the service account under which Keyfactor Command is making the request to the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. must be granted appropriate permission to the CA database as per Grant the Keyfactor Command Users and Service Account(s) Permissions on the CAs in the Keyfactor Command Server Installation Guide.

CAs that need to be configured manually include:

The majority of CA-related functions within Keyfactor Command are supported by both EJBCA and Microsoft CAs. Table 16: CA Function Matrix includes a list of CA-related functions and the support provided by EJBCA and Microsoft CAs.

Important:  EJBCA integration with Keyfactor Command requires EJBCA version 7.8.1 or higher.

Table 16: CA Function Matrix

 

EJBCA CA

Microsoft CA

CA Synchronization
Template1 Import
CA Threshold Monitoring (Issuance)
CA Threshold Monitoring (Failures)  
CA Health Monitoring
Certificate Enrollment (PFX)
Certificate Enrollment (CSR)
Certificate Revocation
CRL Publishing Following Certificate Revocation
Keyfactor Command Private Key Retention and Key Recovery
CA-Level Key Archiving (* no longer supported as of Keyfactor Command v10)    
CA-Level Key Recovery  
Approvals in Workflow Builder
CA-Level Approvals with Pending, Issued and Denied Alerts  
Supports use of Restrict Allowed Requesters for access control
Requires use of Restrict Allowed Requesters for access control  
Requests to the CA can be done in the context of the user initiating the request  
Requests to the CA can be done in the context of a single service account2
Supports use of Universal Orchestrator to access remote CA  
Tip:  Click the help icon () next to the Certificate Authorities page title to open the embedded web copy of the Keyfactor Command Documentation Suite to this section.

You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.