The Keyfactor Universal Orchestrator
The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. is designed to run jobs at the request of the Keyfactor Command server. Jobs primarily perform certificate management tasks, but other types of operations are also supported. The orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. operates as a .NET Core based service on a Windows server, Linux server, or in a Linux container and communicates with a Keyfactor Command server to receive job tasks and report job results. Along with the job results, data can be returned to the Keyfactor Command server and stored in the Keyfactor Command SQL database. Extensions are hosted by the orchestrator and implement the jobs to be executed.
The orchestrator includes these built-in extensions:
- Discover and monitor certificates at TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. 1.3 endpoints either within the local network or across the internet using any of the 5 ciphersuites mentioned in appendix B.4 of RFC 8446. Certificates from the results of SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. discovery and monitoring are imported into Keyfactor Command for viewing, reporting and alerting purposes. Scanning using server name indication Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target. (SNI Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target.) is supported.
- Retrieve logs generated on the orchestrator via the Keyfactor Command Management Portal. This task returns up to 2 MB of log data from the end of the orchestrator log file to be viewed in the Management Portal. This features is supported only on full server installations.
- Manage certificates from remote Microsoft Certificate Authorities (CAs) using the Management Portal. Certificates from remote CAs can be imported into Keyfactor Command for viewing, reporting and alerting purposes. This feature is supported only on Windows installations.
If the remote CA
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. is domain-joined to a domain in the remote forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers., the Universal Orchestrator may be installed on the CA itself or on a separate server joined to a domain in the same forest (generally a server in the same domain as the CA). Multiple CAs in the same remote forest can be managed with a single Universal Orchestrator server. However, if the remote CA is not domain-joined, the Universal Orchestrator must be installed on the remote CA server.Note: The Universal Orchestrator does not support certificate enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). for remote CAs. If you need this capability, you will need to use the Explicit Credentials option in the Management Portal CA configuration (see Adding or Modifying a CA Record).
In addition, two types of custom extensions are supported:
-
Manage and deliver certificates to certificate stores on various platforms and devices using custom certificate store types and orchestrator jobs in the Keyfactor Command Management Portal. Custom extensions may be developed by Keyfactor or end users. Keyfactor offers several publicly available custom extensions for the Universal Orchestrator in the Keyfactor GitHub:
With the custom extensions available from the Keyfactor GitHub, you can manage Windows certificate stores (IIS), JKS
A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption. stores, PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. stores, F5 devices, Citrix NetScaler devices, AWS resources and more (see Installing Custom-Built Extensions).For more information about custom extensions, contact your Keyfactor representative.
- Run custom jobs on the orchestrator that fall outside the standard certificate management tasks. With custom jobs, you can perform operations locally on the orchestrator—or initiate them remotely across the network—and then report results back to Keyfactor Command along with data collected from the jobs, if any.