Certificate Store Discovery

To use the certificate store discovery feature:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Store page, select the Discover tab.
3. On the Discover tab, click Schedule.

4. In the Schedule Discovery dialog, select the type of certificate store job in the Category dropdown. The values that appear here are the display names for the built-in certificate store types and any custom certificate store types you entered to match your custom extensions.

   

   Figure 246: Schedule Java Keystore Discover Job for Remote File Extension

   

   Figure 247: Schedule F5 SSL Discover Job for F5 Extension

5. In the Orchestrator field, select the fully qualified domain name of the approved Keyfactor Universal Orchestrator managing the scanning. This field is required.
6. In the Schedule dropdown, select either Immediate, to run the discover job within a few minutes of saving it, or Exactly Once, to select a date and time for the job. The default is Immediate.
7. In the Client Machine field, enter the fully qualified domain name or IP address of the target server or device to be scanned.

8. Click Set Server Username and, in the Server Username dialog, choose the source from which to load a user valid on the target server or device with sufficient permissions to read the store locations and open files (for F5 this should be Administrator permissions). In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for remote file targets and F5 devices.

   Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., the F5 methods that use the REST API require full Administrator permissions.

   A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea.

   Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

   Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

   Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

   CyberArk

   Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

   • Safe—The name of the safe the credential resides in.
   • Object—The name of the username or password object in the safe.
   • Folder—The path and name of the folder that stores the object (e.g. Root or Root\MyDir).
   Delinea

   Select your Delinea provider in the Providers dropdown if your PAM provider is Delinea (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

   • Secret Server Secret ID—The numeric ID of the secret to retrieve from Secret Server.
   • Secret Field Name—The name of the field to use when retrieving a secret form Secret Server.
   Hashicorp

   Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

   • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
   • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.

9. Click Set Server Password and, in the Server Password dialog, choose the source from which to load the password for the user specified with Set Server Username. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for remote file targets and F5 devices.

   A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea.

   Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

   Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

   Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

   CyberArk

   Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

   • Safe—The name of the safe the credential resides in.
   • Object—The name of the username or password object in the safe.
   • Folder—The path and name of the folder that stores the object (e.g. Root or Root\MyDir).
   Delinea

   Select your Delinea provider in the Providers dropdown if your PAM provider is Delinea (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

   • Secret Server Secret ID—The numeric ID of the secret to retrieve from Secret Server.
   • Secret Field Name—The name of the field to use when retrieving a secret form Secret Server.
   Hashicorp

   Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

   • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
   • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.

10. In the Directories to search field, specify the directory or directories to search. Multiple directories should be separated by commas. The data to enter here will vary depending on the certificate store(s) being discovered. For Keyfactor GitHub extensions, check the extension documentation for more information. This field is required.

    In general:

    • Java, PEM, PKCS12, DER, IMB

      Enter at a minimum either "/" for a Linux server or "c:\" for a Windows server (without the quotation marks).

    • F5

      Enter "/" (without the quotation marks). (This field is required but ignored by the discovery job for F5, so any value entered here will do.)

11. Populate the remaining optional fields as needed. See Table 16: Discovery Options.
12. Click Save to schedule the discovery task. Once the scan begins, it may take several minutes to complete.
13. Return to the Discover tab for the results of the scan. Check the Orchestrator Jobs page (see Orchestrator Job Status) to review jobs in progress.

To manage discovered certificate stores:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Discover tab.
3. On the Discover tab, highlight one or more store row(s) in the grid and click Manage at the top of the grid or right-click the store in the grid and choose Manage from the right-click menu. Discovered certificate stores that require entry of either a server username and password or store password (or PAM credential access information) during the approval process must all share the same password or PAM information if you select more than one for approval at the same time. The right-click menu supports operations on only one store at a time.

   

   Figure 248: Discovered Certificate Stores

4. The fields that appear on the Manage Certificate Stores dialog will vary depending on the certificate store type. If you’re using a Keyfactor custom-built extension from GitHub, be sure to consult the documentation on GitHub for the specific extension. The following are some examples.

   Java Keystore with the Remote File Extension

   • If desired, select a Container from the dropdown.

   • Click the Set Password button to enter the password for the keystore. In the Password dialog, the options are No Value, Load From Keyfactor Secrets, and Load From PAM Provider.

     

     Figure 249: Java Keystore Set Password

     Select No Value if your keystore does not have a password configured.

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea.

     Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

     CyberArk

     Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • Safe—The name of the safe the credential resides in.
     • Object—The name of the username or password object in the safe.
     • Folder—The path and name of the folder that stores the object (e.g. Root or Root\MyDir).
     Delinea

     Select your Delinea provider in the Providers dropdown if your PAM provider is Delinea (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • Secret Server Secret ID—The numeric ID of the secret to retrieve from Secret Server.
     • Secret Field Name—The name of the field to use when retrieving a secret form Secret Server.
     Hashicorp

     Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
     • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.
   • The Linux File Permissions on Store Creation and Linux File Owner on Store Creation fields apply to the creation of new certificate stores on the target, and do not apply to discovered stores. These fields may be left blank.
   • Click Set Server Username and, in the Server Username dialog, choose the source from which to load a user valid on the target server or device with sufficient permissions to read the store locations and open files (for F5 this should be Administrator permissions). In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for remote file targets.
     Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.

   • Click Set Server Password and, in the Server Password dialog, choose the source from which to load the password for the user specified with Set Server Username. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for remote file targets.

     

     Figure 250: F5 SSL Profiles Set Password

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea.

     Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

     CyberArk

     Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • Safe—The name of the safe the credential resides in.
     • Object—The name of the username or password object in the safe.
     • Folder—The path and name of the folder that stores the object (e.g. Root or Root\MyDir).
     Delinea

     Select your Delinea provider in the Providers dropdown if your PAM provider is Delinea (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • Secret Server Secret ID—The numeric ID of the secret to retrieve from Secret Server.
     • Secret Field Name—The name of the field to use when retrieving a secret form Secret Server.
     Hashicorp

     Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
     • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.
   • In the Use SSL section, select True to use SSL to communicate with the remote target, if desired. For more information, see Table 16: Discovery Options.

   

   Figure 251: Manage a Discovered Java Certificate Store

   F5 SSL Profile Certificate with the F5 Extension

   • If desired, select a Container from the dropdown.
   • In the Primary Node field, enter the fully qualified domain name of the F5 device that acts as the primary node in a highly available F5 implementation. If you're using a single F5 device, this will often be the same value you entered in the Client Machine field.
     Tip:  Configuration of the primary node is necessary to allow management jobs that update certificates on the F5 device to wait until the primary node is available before making their update. Inventory jobs are carried out against any available node.
   • In the Primary Node Check Retry Wait Seconds field, either accept the default value of 120 seconds or enter a new value. This value represents the number of seconds the orchestrator will wait after a pending management job cannot be completed because the primary node cannot be contacted before trying to contact the primary node again to retry the job.
   • In the Primary Node Check Retry Maximum field, either accept the default value of 3 retry attempts or enter a new value. This value represents the number of times the orchestrator will retry a pending management job that is failing because the primary node cannot be contacted before declaring the job failed.
   • In the Version of F5 dropdown, select the version of F5 this server is running. The F5 REST API is supported on version 13 and up.
     Tip:  Select v15 for version 15 and above.

   • Click Set Server Username to choose the source from which to load a user valid on the F5 device with Administrator permissions. In the Server Username dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     Note:  Although a user with Resource Administrator permissions is sufficient when using the F5 methods that use the SOAP API, the F5 methods that use the REST API require full Administrator permissions.

   • Click Set Server Password to choose the source to load a valid password for the server. In the Server Password dialog, the options are Load From Keyfactor Secrets or Load From PAM Provider. The No Value option is typically not supported for F5 stores.

     

     Figure 252: F5 SSL Profiles Set Password

     A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret is an option for customers that do not already have a relationship with a PAM provider such as CyberArk or Delinea.

     Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

     Select the Load From Keyfactor Secrets radio button as the Secret Source if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database. Enter and confirm a password.

     Select the Load from PAM Provider radio button as the Secret Source if you want to store the password in a supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example:

     CyberArk

     Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • Safe—The name of the safe the credential resides in.
     • Object—The name of the username or password object in the safe.
     • Folder—The path and name of the folder that stores the object (e.g. Root or Root\MyDir).
     Delinea

     Select your Delinea provider in the Providers dropdown if your PAM provider is Delinea (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • Secret Server Secret ID—The numeric ID of the secret to retrieve from Secret Server.
     • Secret Field Name—The name of the field to use when retrieving a secret form Secret Server.
     Hashicorp

     Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault.
     • KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault.
   • In the Use SSL section, select True to use SSL to communicate with the F5 device or cluster, if desired. For more information, see Table 16: Discovery Options.

   

   Figure 253: Manage a Discovered F5 SSL Profile Certificate

Discovered certificate stores can be deleted one at a time or in multiples.

To delete a discovered certificate store:

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Discover tab.
3. On the Discover tab, highlight the row(s) in the discover grid of the store(s) to delete and click Delete at the top of the grid or right-click the store location in the grid and choose Delete from the right-click menu. The right-click menu supports operations on only one store at a time.
4. On the Confirm Operation alert, click OK to confirm or Cancel to cancel the operation.