Major Release 9.0 Notes

• What problem does it solve?

  The Keyfactor Command interface should be easy to navigate and use.

• How does it work?

  As we continue to improve the Keyfactor Command interface, we’ve added updates to the navigation menu, application settings, and dialogues, as well as an updated color scheme.

• What’s the benefit?

  Ease of Use: The Keyfactor Command interface is more intuitive for new and experienced users alike.

• What problem does it solve?

  PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. administrators and application owners want to easily identify risks and upcoming expirations for the certificates they have access to.

• How does it work?

  A new fixed header above the dashboard displays expiring, weak, and revoked certificates for an at-a-glance view of risks.

• What’s the benefit?

  Risk Mitigation: Enables administrators to quickly identify the state of their certificates.

• What problem does it solve?

  The current Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. is only able to run on Windows systems.

• How does it work?

  The new Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. runs on .NET Core 3.1, which allows it to be installed on servers/instances running either Linux or Windows.

• What’s the benefit?

  Flexibility: Enables customers to deploy orchestrators in cross-platform environments.

• What problem does it solve?

  Certain customers are unable to use Keyfactor PKI as-a-Service due to security or regulatory requirements, but they’d still like to leverage a SaaS-based solution for certificate management.

• How does it work?

  The new Remote CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Gateway securely connects on-premise private PKI – Microsoft ADCS or PrimeKey EJBCA – to the Keyfactor Cloud. This allows customers to leverage Keyfactor Command as a Service (SaaS) while keeping their PKI within their datacenter.

• What’s the benefit?

  Cloud: On-premise customers now have more options to deploy Keyfactor in a SaaS model – while keeping their PKI in-house, if required.

• What problem does it solve?

  Before Keyfactor Command 9.0, Keyfactor Command did not support SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers./TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scanning on endpoints using TLS 1.3.

• How does it work?

  The Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. supports SSL/TLS scanning on endpoints using TLS 1.3.

• What’s the benefit?

  Increased Visibility: Organizations will have improved visibility over certificates.

• What problem does it solve?

  Before Keyfactor Command 9.0, certificate metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. could only be applied system wide.

• How does it work?

  Now administrators can apply metadata on a per-template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. basis, which will override system-wide settings for that specific template.

• What’s the benefit?

  Control: This gives administrators more granular control for metadata in certificate enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)..

Keyfactor Command 9.0 includes significant updates to the UI, as well as several changes to the main navigation menu and drop-downs with a focus on improved usability. Please continue reading to review and understand these changes.

Previously, the navigation menu looked like the example below:

In Keyfactor Command 9.0, the navigation menu is more concise and user-centric:

Certificates drop-down

• Add Certificate: The Add Certificate selection is now located in the Certificates tab. Previously, it was accessed via the Certificate Locations tab.

Enrollment drop-down

• Certificate Requests: This option is now found in the new Enrollment tab, rather than the Workflow A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. tab.

Workflow drop-down

• Revocation Monitoring: This option is now located in the Workflow tab. Previously, it was located in the PKI Management tab.

• Expiration: This selection was previously named Expiration Alerts.

• Pending Request: This selection was previously named Pending Request Alerts.

• Issued Request: This selection was previously named Issued Request Alerts.

• Denied Request: This selection was previously named Denied Request Alerts.

• Key Rotation: This selection was previously named Key Rotation Alerts.

Locations drop-down

• Certificate Stores: You will now access the Certificate Stores selection from the new Locations tab. Previously, it was accessed via the Certificate Locations tab.

• Certificate Authorities and Certificate Templates: These menu options are now found in the new Locations. Previously, they were located in the PKI Management tab.

• SSL Discovery: This selection is now located in the Locations tab. It was previously located in the Certificate Locations drop-down.

System Settings menu

• Certificate Store Types: You will now access the Certificate Store Types from the System Settings at the top-right of the screen. It was previously under Certificate Locations.

Certificate Search

• There is a new “ends with” operator. For example:

  CN -endswith "keyexample.com"

• A new advanced search option has been added of %ME-AN%. This does a search for account name without domain. For example, the following search in certificate search:

  NetBIOSRequester -contains "%ME-AN%"

  Would return certificates requested by the current user as KEYEXAMPLE\jsmith and KEYOTHER\jsmith (assuming the current user is logged in with username jsmith in some domain).

A Risk Header has been added to the Dashboard, which displays relevant information for certificates the user has permissions to. This includes a count of all active certificates, upcoming expirations, expired and revoked certificates, and weak keys (as seen below).

Now available in Keyfactor Command 9.0, the new Keyfactor Universal Orchestrator can perform many of the same functions as the legacy Windows Orchestrator, such as IIS, SSL, FTP and CA management (we will continue to expand its functionality). However, unlike the legacy Windows Orchestrator, the new Keyfactor Universal Orchestrator is able to run on both Windows and Linux servers.

The purpose of orchestrators is to perform SSL scans, manage certificate stores (both Java Key Stores and Windows Certificate Stores), run custom certificate management jobs, inventory CAs, and collect logs to be viewed in the Keyfactor Command Console.

Please review the Deprecation section for more information about the eventual deprecation of the legacy Windows Orchestrator. Refer to the Installing Orchestrators guide for more information on the new Keyfactor Universal Orchestrator.

Before Keyfactor Command 9.0, customers had the option to deploy Keyfactor Command on-premise or hosted in the cloud with a fully managed private PKI as a Service (PKIaaS). Now customers have the additional option to keep their PKI on-premise while leveraging Keyfactor Command in the cloud.

The Keyfactor Remote CA Gateway is the connection point between the new Keyfactor Command as-a-Service deployment model (aka Certificate Lifecycle Automation as a Service or CLAaaS) and a customer’s on-premise PKI behind their firewall.

The Remote CA Gateway synchronizes in real-time to provide full visibility and governance over the inventory, enrollment, issuance, revocation and renewal of certificates from your on premise CA, requiring just a single, secure API connection on port 443 back to the Keyfactor Command Cloud.

Certificate metadata fields can now be defined on a per-template basis. Before Keyfactor Command 9.0, metadata fields could only be defined as a system-wide setting.

This allows administrators to apply required, hidden or optional settings to a metadata field on a per-template basis so that only certain metadata fields will appear on certain templates.

System-wide settings for metadata fields can be overridden, so customers can choose which fields are displayed, during enrollment for a certificate, based on the template the user selects when enrolling.

Next and Previous buttons have been added to the button row at the top of each page that allow you to navigate through the pages in the documentation in order.

The mini table of contents has been updated to only display by default on pages that contain subpages. This TOC displays—with links—any pages that appear below the current page in the document structure. The TOC button can be used to close and reopen the mini table of contents. The mini table of contents will not display on pages where no subpages are present.

The TOC button now appears when the documents are used in a small browser session (e.g. on a tablet).

Pre-Installation

• If you are using the CA Policy module v7.0 on the same server that the Keyfactor Command Management Portal is installed on, you’ll need to upgrade the module to v7.1 before running the Keyfactor Command 9.0 upgrade.

• Upgrade to SQL Server 2016 CU12 or higher and adjust the database compatibility level if needed (see above).

Post-Installation

After the upgrade is complete, some settings will need to be reconfigured due to changes in the way the Keyfactor Command Console handles tasks in Keyfactor Command 9.0:

• RFC 2818 enforcement has moved from the CA to the template level since different templates have different requirements. Standalone CAs still have the RFC 2818 setting on the CA level.

• Configure template-level metadata (if desired).

• Move all Event Handler scripts to the ExtensionLibrary folder under the Keyfactor program installation directory.

• Scripted alert handlers will fail to run if not in the path (or a subdirectory of it) specified by the Extension Handler Path application setting. By default, this is “C:\Program Files\Keyfactor\Keyfactor Platform\ExtensionLibrary\”. Customers should move the scripts to this location and test them before moving to production.

• Update any monitoring or other processes that reference the log files to point to the new log file location.

• Daylight Savings Time (DST) is now shown as the time zone locale for clients using Keyfactor Command, rather than the UTC offset, which is the Microsoft CA default. This causes issues during DST to appear off by an hour, in time zones that do not have DST.

• Microsoft IIS settings to change authentication must be made manually to support the Use Active Directory Password application setting for the Keyfactor Command Management Portal.

• When using Basic Authentication, the authentication in Microsoft IIS may need to be configured manually for the KeyfactorAnalysis site.

• Authentication between the KeyfactorPortal, KeyfactorAPI, and KeyfactorAnalysis sites needs to be configured with the same authentication type, SSL, and host name.

• On the template RegEx settings, if you unselect use system-wide and do not enter a new RegEx the system-wide RegEx will still apply. To fix this, enter .* in the RegEx field to accept all values.

• When creating a new certificate store type, the Depends On Other option may not be available when creating the parameter A parameter or argument is a value that is passed into a function in an application.. The workaround is to save the certificate store type and then use Edit to update the parameter.

• Editing certificate details on a collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). for a CA, while an initial sync is running on the CA, will cause inaccurate numbers to display in the Edit All window.

• If a CA is not scheduled to sync under Locations, it will not appear in lists to select for things like inclusion in Dashboards and Reports.

• Syncing an Issuing CA before syncing its parents in the chain causes Keyfactor Command to show the wrong requester for the chain certificates.

Keyfactor Command cannot support a CA in the local forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers., with the same NetBIOS name as a CA in a trusted forest.

• Running large SSL scans can impact Keyfactor Command application performance, if the Windows Agent/Orchestrator performing the scan is installed on the same server as the Keyfactor Command portal.

• If you receive an error when opening the portal that “the underlying connection was closed” please be sure you have the latest Windows Updates installed.

• In Windows, drive mapping is done on a per-user basis. If you would like scheduled reports to be saved to a mapped drive, the timer service account needs to have that mapping created for them beforehand.

• Exporting a report to Microsoft Excel can fail with a 401 error in Microsoft Edge. Chrome or Firefox can successfully export to Excel. This problem is being worked on by the reporting engine vendor (Logi Analytics).

• Users configured for Logi Analytics reporting cannot have double quotes in the password field.

• The GET/Certificates API endpoint has a known issue where if a collection ID is not supplied the request fails. This will be fixed in an incremental release. The workaround in the meantime is to provide a collection ID of zero.

• Occasionally, the “Please Wait” message will hang. Control + F5 will fix this.

• There is an issue where the Universal Orchestrator is missing a task category in the Windows Event Log and instead reporting a task category of “(16)”. This will be fixed in a future release.

• The new Keyfactor Universal Orchestrator provides much of the same functionality as the legacy Windows Orchestrator (see table below).

  Table 836: Keyfactor Universal Orchestrator vs Windows Orchestrator Capabilities

  Capabilities	Windows Orchestrator	Universal Orchestrator
  IIS Management
  CA Synchronization
  SSL/TLS Discovery
  FTP
  F5 (SOAP/REST)
  AWS
  NetScaler
  Fetch Logs (new)

  New capabilities will be added to the Keyfactor Universal Orchestrator in a future release as we phase out use of the existing Windows Orchestrator over time.