Certificate Stores

The certificate store feature in Keyfactor Command allows you to search for and inventory certificates from multiple types of certificate stores, import the certificates found in them into the Keyfactor Command database, add new certificates to the stores, and remove certificates from them. This feature uses Keyfactor orchestrators to communicate with the Keyfactor Command server. This section of the documentation describes the management tasks that can be done through the Management Portal. For information about installing and configuring the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers., see the Installing Orchestrators guide.

Certificate stores are managed by configuring the store locations through the Management Portal, assigning an inventory schedule, and optionally assigning stores to containers (groups) for ease of management. You can create records for stores in the Management Portal manually or by using the discovery feature. Not all certificate store types support discovery; check the details of the certificate store types or any custom-built extensions you’re using to determine whether discovery is supported.

Managing certificate stores requires that an appropriate instance of a Keyfactor orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. is running in the environment and has been approved in the Management Portal (see Orchestrator Management). Java and PEMClosed A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. certificate stores can be managed with an instance of the Keyfactor Java AgentClosed The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. running on the machine where the Java and PEM certificate stores are located or with the Keyfactor Universal Orchestrator and the Keyfactor Remote File extension. Amazon Web Services (AWS), F5, Citrix/NetScaler, Windows (IIS) certificate stores and more can be managed with the Keyfactor Universal Orchestrator and an appropriate Keyfactor custom-built extension. Keyfactor offers many custom-built extensions for the Keyfactor Universal Orchestrator on GitHub:

https://keyfactor.github.io/integrations-catalog/content/orchestrator

Some packages that may be of special interest to long-term users of Keyfactor Command are:

Once your certificate stores have been inventoried and their certificates imported into Keyfactor Command, you can use the standard Management Portal features for managing certificates—such as Expiration Alerts (see Expiration Alerts)—to manage the certificates from the certificate store locations even if the certificates were not generated by your Keyfactor Command configured CAs.

Most certificate store types can use Privileged Access Management (PAM) or Keyfactor Secrets to manage passwords for the servers or devices on which the certificates stores are located and on the certificate stores themselves, where applicable.

This section uses the following terminology for F5 and IIS certificate stores:

Certificates and keys for the F5 CA Bundles REST are those found within F5 Bundles. Note that the ca-bundle cannot be managed with Keyfactor Command, as it is protected and managed directly by F5. Only the Include Bundles may be managed with this option. This option uses the F5 iControl REST APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command.. It is intended to be used with BIG-IP versions 13 and later. The F5 CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Bundles REST option supports certificate discovery on the F5 device and F5 high availability.

Certificates and keys for the F5 SSL Profiles are those used by any applications configured for use by the F5 device. These are certificates that are available in the F5 interface as the SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificate list. This option uses the F5 SOAP API. It is intended to be used with BIG-IP version 12.

Certificates and keys for the F5 SSL Profiles REST are those used by any applications configured for use by the F5 device. These are certificates that are available in the F5 interface as the SSL certificate list. This option uses the F5 iControl REST API. It is intended to be used with BIG-IP versions 13 and later. The REST version of F5 SSL Profiles supports certificate discovery on the F5 device and F5 high availability.

Certificates and keys for the F5 Web Server are those used by the device itself for the F5 portal and the SOAP API. This certificate is referred to as the device certificate within the F5 interface. This option uses the F5 SOAP API. It is intended to be used with BIG-IP version 12.

Certificates and keys for the F5 Web Server REST are those used by the device itself for the F5 portal and the API. This certificate is referred to as the device certificate within the F5 interface. This option uses the F5 iControl REST API. It is intended to be used with BIG-IP versions 13 and later. The F5 Web Server REST option supports F5 high availability.

The Untrusted Certificates store of the local computer.

The Trusted Root Certification Authorities store of the local computer.

The Personal store of the local computer.

Tip:  Click the help icon () next to the Certificate Stores page title to open the Keyfactor Command Documentation Suite to this section. You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.