Certificate Stores

The certificate store feature in Keyfactor Command allows you to search for and inventory certificates from multiple types of certificate stores, import the certificates found in them into the Keyfactor Command database, add new certificates to the stores, and remove certificates from them. This feature uses Keyfactor orchestrators to communicate with the Keyfactor Command server. This section of the documentation describes the management tasks that can be done through the Management Portal. For information about installing and configuring orchestrators, see the Installing Orchestrators guide.

Certificate stores are managed by configuring the store locations through the Management Portal, assigning an inventory schedule, and optionally assigning stores to containers (groups) for ease of management. You can create records for stores in the Management Portal manually or by using the discovery feature (Java keystore, PEMClosed A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key., and F5 REST only among the built-in stores—custom modules used by the AnyAgentClosed The AnyAgent, one of Keyfactor's suite of orchestrators, is used to allow management of certificates regardless of source or location by allowing customers to implement custom agent functionality via an API. framework may support discovery).

Managing certificate store requires that an appropriate instance of a Keyfactor orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. is running in the environment and has been approved in the Management Portal (see Orchestrator Management). Java and PEM certificate stores can be managed with an instance of the Keyfactor Java AgentClosed The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. running on the machine where the Java and PEM certificate stores are located. Amazon Web Services (AWS), F5, File Transfer Protocol (FTP), and NetScaler certificate store can be management with the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux.1 or Windows OrchestratorClosed The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. running in a network location that has access to both the Keyfactor Command server and the internet (AWS) or the FTP, F5 or NetScaler machine(s) or device(s). Managing IIS certificate stores requires an instance of the Keyfactor Universal Orchestrator or Windows Orchestrator running on a domain-joined server in the same AD forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. as the IIS server(s) and the Keyfactor Command server.

Once your certificate stores have been inventoried and their certificates imported into Keyfactor Command, you can use the standard Management Portal features for managing certificates—such as Expiration Alerts (see Expiration Alerts)—to manage the certificates from the certificate store locations even if the certificates were not generated by your Keyfactor Command configured CAs.

Most certificate store types can use Privileged Access Management (PAM) or Keyfactor Secrets to manage passwords on the certificate stores. Certificate store types not supported for this include PEM, IIS Personal, IIS Revoked, and IIS Trusted Roots (because these stores do not require storage of a password).

Tip:  Click the help icon () next to the Certificate Stores page title to open the embedded web copy of the Keyfactor Command Documentation Suite to this section.

You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.