Certificate Stores
Certificate Stores
The certificate store feature in Keyfactor Command allows you to search for and inventory certificates from multiple types of certificate stores, import the certificates found in them into the Keyfactor Command database, add new certificates to the stores, and remove certificates from them. This feature uses Keyfactor orchestrators to communicate with the Keyfactor Command server. This section of the documentation describes the management tasks that can be done through the Management Portal. For information about installing and configuring orchestrators, see the
Certificate stores are managed by configuring the store locations through the Management Portal, assigning an inventory schedule, and optionally assigning stores to containers (groups) for ease of management. You can create records for stores in the Management Portal manually or by using the discovery feature (Java keystore, PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key., and F5 REST only among the built-in stores—custom modules used by the AnyAgent The AnyAgent, one of Keyfactor's suite of orchestrators, is used to allow management of certificates regardless of source or location by allowing customers to implement custom agent functionality via an API. framework may support discovery).
Managing certificate store requires that an appropriate instance of a Keyfactor orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. is running in the environment and has been approved in the Management Portal (see Orchestrator Management). Java and PEM certificate stores can be managed with an instance of the Keyfactor Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. running on the machine where the Java and PEM certificate stores are located. Amazon Web Services (AWS), F5, File Transfer Protocol (FTP), and NetScaler certificate store can be management with the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux.1 or Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. running in a network location that has access to both the Keyfactor Command server and the internet (AWS) or the FTP, F5 or NetScaler machine(s) or device(s). Managing IIS certificate stores requires an instance of the Keyfactor Universal Orchestrator or Windows Orchestrator running on a domain-joined server in the same AD forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. as the IIS server(s) and the Keyfactor Command server.
Once your certificate stores have been inventoried and their certificates imported into Keyfactor Command, you can use the standard Management Portal features for managing certificates—such as Expiration Alerts (see Expiration Alerts)—to manage the certificates from the certificate store locations even if the certificates were not generated by your Keyfactor Command configured CAs.
Most certificate store types can use Privileged Access Management (PAM) or Keyfactor Secrets to manage passwords on the certificate stores. Certificate store types not supported for this include PEM, IIS Personal, IIS Revoked, and IIS Trusted Roots (because these stores do not require storage of a password).
This section uses the following terminology for F5 and IIS certificate stores:
F5 CA Bundles REST
Certificates and keys for the F5 CA Bundles REST are those found within F5 Bundles. Note that the ca-bundle cannot be managed with Keyfactor Command, as it is protected and managed directly by F5. Only the Include Bundles may be managed with this option. This option uses the F5 iControl REST API. It is intended to be used with BIG-IP versions 13 and later. The F5 CA Bundles REST option supports certificate discovery on the F5 device and F5 high availability. F5 SSL Profiles
Certificates and keys for the F5 SSL Profiles are those used by any applications configured for use by the F5 device. These are certificates that are available in the F5 interface as the SSL certificate list. This option uses the F5 SOAP API. It is intended to be used with BIG-IP version 12. F5 SSL Profiles REST
Certificates and keys for the F5 SSL Profiles REST are those used by any applications configured for use by the F5 device. These are certificates that are available in the F5 interface as the SSL certificate list. This option uses the F5 iControl REST API. It is intended to be used with BIG-IP versions 13 and later. The REST version of F5 SSL Profiles supports certificate discovery on the F5 device and F5 high availability. F5 Web Server
Certificates and keys for the F5 Web Server are those used by the device itself for the F5 portal and the SOAP API. This certificate is referred to as the device certificate within the F5 interface. This option uses the F5 SOAP API. It is intended to be used with BIG-IP version 12. |
F5 Web Server REST
Certificates and keys for the F5 Web Server REST are those used by the device itself for the F5 portal and the API. This certificate is referred to as the device certificate within the F5 interface. This option uses the F5 iControl REST API. It is intended to be used with BIG-IP versions 13 and later. The F5 Web Server REST option supports F5 high availability. IIS Revoked
The Untrusted Certificates store of the local computer. IIS Trusted Roots
The Trusted Root Certification Authorities store of the local computer. IIS Personal
The Personal store of the local computer. |
You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.