Configure Automated Renewal Permission

The expiration renewal event handler or equivalent workflowClosed A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. allows you to execute a certificate renewal automatically for each expiring certificate that is found in a supported certificate store for each expiration alert when the alert task is triggered by the execution of the expiration alerts. In order for the renewal handler or workflow to execute successfully, the Active Directory service account under which the Keyfactor Command Service runs must have select permissions in the Keyfactor Command Management Portal. In addition, if you wish to test the execution of expiration alerts with renewal handlers or workflows and your IIS application pool runs in the context of a different Active Directory service account than the Keyfactor Command Service, the Active Directory service account for the Keyfactor APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. IIS application pool must also be granted these permissions.

Note:  If your Microsoft CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. has been configured with the Use Explicit Credentials option, the permissions described here need to be granted to the user specified by the Use Explicit Credentials option, not either of the above-referenced service accounts.

If you're using an EJBCA CA, no further permissions need to be granted and this step may be skipped.

If you don’t plan to use the expiration renewal handler or workflow, you can skip this step.

To configure permissions for the service account(s) to support use of the expiration renewal handler or workflow:

  1. In the Keyfactor Command Management Portal, browse to System Settings Icon > Security Roles & Claims.
  2. On the Security Roles and Claims page on the Security Roles tab, click Add to create a new role to be used just to grant permissions to the service account(s) to support use of the expiration renewal handler or workflow.
  3. On the Details tab, give it an appropriate name and description to reflect this usage.
  4. On the Global Permissions tab:

    1. Select Certificate Enrollment and click the Enroll PFX toggle to enable it.
    2. Select Certificate Store Management and click the Read and Schedule toggles to enable them.
    3. Select Certificates and click the Read toggle to enable it.
    4. Select Management Portal and click the Read toggle to disable it, if enabled.
  5. Click Save to save the role.
  6. On the Security Roles and Claims page on the Claims tab, click Add to add a new security claim.
  7. In the Add Claim dialog, select a Claim Type of Active Directory User. Enter the Active Directory user name of the service account under which the Keyfactor Command Service runs using DOMAIN\username format in the Claim Value. Select a Claim Provider of Active Directory and enter an appropriate Description. Click Save. The new claim will be saved and the dialog will close.

    Figure 569: Configure Expiration Renewal Handler: Add New Claim

  8. If your Keyfactor API IIS application pool runs as a different Active Directory service account from that used for the Keyfactor Command Service, repeat steps six and seven for the IIS application pool service account.
  9. On the Security Roles tab, double-click the role you created for the renewal handler or workflow and on the Claims tab, click Add. Select the Keyfactor Command Service claim in the grid and IIS application pool service account, if appropriate, and click Include and Close.
  10. Click Save to save the addition of the claim(s) to the role.