Certificate Authorities
Your Microsoft and EJBCA certificate authorities (CAs) are defined in the Management Portal to support synchronization to the Keyfactor Command database and support enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. Microsoft CAs in the local forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. in which Keyfactor Command is installed or in a forest in a two-way trust with this forest may be imported from Active Directory or manually configured. Other Microsoft CAs and EJBCA CAs need to be manually configured. During initial provisioning, any domain-joined Microsoft CAs in the primary Active Directory forest will be imported automatically by the Keyfactor Command configuration wizard.
CAs that need to be added manually include:
- A domain-joined enterprise or standalone Microsoft CA in a forest with a one-way trust (either direction) with the forest in which Keyfactor Command is installed
- A domain-joined enterprise or standalone Microsoft CA in a forest that has no trust with the forest in which Keyfactor Command is installed
- An EJBCA CA
- A non-domain-joined standalone Microsoft CA
-
A Keyfactor CA gateway in the forest in which Keyfactor Command is installed that has not been registered in Active Directory
The CA gateways are used to access cloud certificate providers (e.g. Entrust) or to support Microsoft or EJBCA CAs in remote or cloud environments (e.g. the Cross-Forest Gateway).
Note: Keyfactor CA gateways are not supported in any configuration other than in the same forest in which Keyfactor Command is installed. - An on-premise Microsoft CA accessed via the Keyfactor CA Management Gateway The Keyfactor CA Management Gateway is made up of the Keyfactor Gateway Connector, installed in the customer forest to provide a connection to the local CA, and the Azure-hosted and Keyfactor managed Hosted Configuration Portal. The solution is used to provide a connection between a customer's on-premise CA and an Azure-hosted instance of Keyfactor Command for synchronization, enrollment, and management of certificates. using a managed instance of Keyfactor Command
- An on-premise EJBCA CA accessed via the Keyfactor CA Management Gateway using a managed instance of Keyfactor Command
-
Note: You must install and configure the Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. on a machine in the same forest where the Microsoft CA resides and configure it with CA Support and approve the orchestrator in the Management Portal before creating the CA record.
CAs that need to be configured manually include:
- Domain-joined enterprise or standalone Microsoft CA in a forest with a one-way trust (either direction) with the forest in which Keyfactor Command is installed
- Domain-joined enterprise or standalone Microsoft CA in a forest that has no trust with the forest in which Keyfactor Command is installed
- EJBCA CA
- Non-domain-joined standalone Microsoft CA
-
Keyfactor CA gateway in the forest in which Keyfactor Command is installed
The CA gateways are used to access cloud certificate providers (e.g. the Entrust CA Gateway) or to support Microsoft CAs in remote or cloud environments (e.g. the Cross-Forest Gateway).
Note: Keyfactor CA gateways are not supported in any configuration other than in the same forest in which Keyfactor Command is installed. - On-premise Microsoft CA accessed via the Keyfactor CA Management Gateway using a managed instance of Keyfactor Command
- On-premise EJBCA CA accessed via the Keyfactor CA Management Gateway using a managed instance of Keyfactor Command
-
Microsoft CA accessed via the Keyfactor Universal Orchestrator
Note: You must install and configure the Keyfactor Universal Orchestrator on a machine in the same forest where the Microsoft CA resides and configure it with CA Support and approve the orchestrator in the Management Portal before creating the CA record.
The majority of CA-related functions within Keyfactor Command are supported by both EJBCA and Microsoft CAs. Table 14: CA Function Matrix includes a list of CA-related functions and the support provided by EJBCA and Microsoft CAs.
EJBCA CA |
Microsoft CA |
|
---|---|---|
CA Synchronization | ||
Template1 Import | ||
CA Threshold Monitoring (Issuance) | ||
CA Threshold Monitoring (Failures) | ||
CA Health Monitoring | ||
Certificate Enrollment (PFX) | ||
Certificate Enrollment (CSR) | ||
Certificate Revocation | ||
CRL Publishing Following Certificate Revocation | ||
Keyfactor Command Private Key Retention and Key Recovery | ||
CA-Level Key Archiving (* no longer supported as of Keyfactor Command v10) | ||
CA-Level Key Recovery | ||
Approvals in Workflow Builder | ||
CA-Level Approvals with Pending, Issued and Denied Alerts | ||
Supports use of Restrict Allowed Requesters for access control | ||
Requires use of Restrict Allowed Requesters for access control | ||
Requests to the CA can be done in the context of the user initiating the request | ||
Requests to the CA can be done in the context of a single service account2 | ||
Supports use of Universal Orchestrator to access remote CA |