Keyfactor CA Policy Module

The Keyfactor CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Policy Module includes four certificate authorityClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. policy handlers that can be used to alter or restrict the functionality of a Microsoft certificate authority. The policy handlers are installed on the Microsoft CA and enabled through the Microsoft CA properties page. The available policy handlers are:

Automate inclusion of a DNSClosed The Domain Name System is a service that translates names into IP addresses. SANClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. matching the CNClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). of the requested certificate in certificate enrollments for a defined set of CA templates.

Allow the addition of SANs not included in the CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. when making a CSR enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). request. The added SANs will overwrite any existing SANs in the CSR. This functionality is the same as that seen with the Microsoft default policy module for the CA as a whole when the CA EDITF_ATTRIBUTESUBJECTALTNAME2 flag is set except the SAN Attribute Policy Handler provides the ability to control SAN addition on a templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.-by-template basis without the need to enable the Microsoft CA EDITF_ATTRIBUTESUBJECTALTNAME2 flag.

Allow secure control of on-device key generation during certificate enrollment for iOS and Mac devices.

Enforce that certificate requests for a given template or templates can only be initiated from a given computer or set of computers.

Important:  If you're upgrading from a previous version of the Keyfactor CA Policy Module, refer to the Keyfactor Command Upgrade Overview for important upgrade instructions and a required upgrade script. Newer versions of Keyfactor CA Policy Module cannot be installed over the top of existing Keyfactor CA Policy Module installations to complete an upgrade.