Installing the Keyfactor CA Policy Module Handlers

These steps only need to be completed if your Keyfactor Command license includes the Keyfactor CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Policy Module and you plan to use this feature and one or more of its policy handlers. Review the policy handlers to determine if one or more of them meets a need in your environment.

Important:  For a CA Clustered solution, if the Keyfactor CA Policy Module is installed on a node then configured, then failed over to another node, this will corrupt the check point key. The module must be installed on BOTH nodes, configured on one node, then failed over to the other node.

The available policy handlers are:

The processing order of the handlers currently available in the Keyfactor CA Policy Module, when used together on the same machine, is significant for some handlers and not others. Specifically, the processing order is not significant for the vSCEP™ Policy Handler and Machine Whitelist Policy handler. These handlers may be placed anywhere within the list of handlers. However, the processing order does matter for the SAN Attribute Policy Handler and the RFC 2818 Policy Handler. When these two handlers are used together, the SAN Attribute Policy Handler must be placed on the list above the RFC 2818 Policy Handler to allow the SAN Attribute Policy Handler to be processed before the RFC 2818 Policy Handler. This is because the SAN Attribute Policy Handler removes any existing SANs on the enrollment request and replaces them with those specified in the request outside of the CSR—such as those entered in the optional SAN section on the CSR page of the Keyfactor Command Management Portal. This includes any SANs added by the RFC 2818 Policy Handler.

Figure 540: Keyfactor CA Policy Module Policy Module Handler Ordering

When the Keyfactor CA Policy Module is used, the policy module listed on the Default Policy tab of the Policy Module Configuration Properties dialog is run first when a request reaches the CA. This default policy might be the standard Windows default, as shown Figure 541: Default Policy Module, or it might be another non-built-in policy module, such as the Microsoft FIM CM Policy Module. After the default policy module runs, the Loaded Handlers on the Custom Handlers tab of the Policy Module Configuration Properties dialog are run in the order listed (top to bottom). After all the handlers have been run, the result (approved, denied, or marked as pending) is returned to the CA for processing.

Figure 541: Default Policy Module

Tip:  Once the installation is complete, the configuration options for the policy handlers can be found in the registry on the CA in the following paths (where CA_LOGICAL_NAME is the logical nameClosed The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two). of the local CA):
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ services\ CertSvc\ Configuration\ CA_LOGICAL_NAME\ PolicyModules\ CMS_Custom.Policy\ PolicyHandlers\ RFC2818.PolicyHandler
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ services\ CertSvc\ Configuration\ CA_LOGICAL_NAME\ PolicyModules\ CMS_Custom.Policy\ PolicyHandlers\ SANAttribute.PolicyHandler
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ services\ CertSvc\ Configuration\ CA_LOGICAL_NAME\ PolicyModules\ CMS_Custom.Policy\ PolicyHandlers\ CMSWhitelist.PolicyHandler
Important:  These registry keys should not be modified without advice from Keyfactor support.