This step only needs to be completed if you plan to use the Keyfactor Universal Orchestrator
The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. for remote Microsoft CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization.
In order for the Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. to be able to synchronize certificates from the remote Microsoft CA(s) to the Keyfactor Command database, the Universal Orchestrator service account—the identity under which the orchestrator in the remote forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. runs—must have permissions to read the CA database(s) in the remote forest.
In the management console for each CA that the orchestrator will interact with, open the properties for the CA and grant the service account that the orchestrator runs as (see Create Service Accounts for the Universal Orchestrator) read permissions before continuing.
Figure 574: CA Permissions