Configure Legacy Automated Renewal Permission

The expiration renewal event handler allows you to execute a certificate renewal automatically for each expiring certificate that is found in a supported certificate store for each expiration alert when the alert task is triggered by the execution of the expiration alerts using the legacy alerting system. In order for the renewal handler to execute successfully, the user under which the request is being processed needs appropriate permissions to complete this task. Which user this is depends on your identity provider:

If you don’t plan to use the expiration renewal handler with the legacy alerting system, you can skip this step.

To configure permissions to support use of the expiration renewal handler:

  1. In the Keyfactor Command Management Portal, browse to System Settings Icon > Security Roles & Claims.
  2. On the Security Roles and Claims page on the Claims tab, click Add to add a new security claim if one does not exist already. See above for the user(s) for which you will need claim(s).
  3. In the Add Claim dialog, select an appropriate Claim Type for your identity provider type (e.g. Active Directory User). Enter the Claim Value for the user. For an Active Directory user, for example, enter the Active Directory user name of the service account under which the Keyfactor Command Service runs using DOMAIN\username format in the Claim Value. Select your Claim Provider (Active Directory or your OAuth identity provider) and enter an appropriate Description. Click Save. The new claim will be saved and the dialog will close.

    Figure 571: Configure Expiration Renewal Handler: Add New Claim for an Active Directory User

  4. If you’re using Active Directory as an identity provider and your Keyfactor API IIS application pool runs as a different Active Directory service account from that used for the Keyfactor Command Service, repeat steps two and three for the IIS application pool service account.
  5. On the Security Roles and Claims page on the Security Roles tab, click Add to create a new role to be used just to grant permissions to the service account(s) to support use of the expiration renewal handler.
  6. On the Details tab, give it an appropriate name and description to reflect this usage.
  7. On the Global Permissions tab:

    1. In the Certificate Stores section, check the Read and Schedule boxes to enable them.
    2. In the Certificates>Enrollment section, check the Pfx box to enable it.
    3. In the Certificates>Collections section, check the Read box to enable it.
    4. In the Portal section, and uncheck the Read box to disable it, if enabled.
  8. On the Claims tab, associate the claims you added for the renewal handler with the role.

  9. Click Save to save the role.
  10. Edit the CA and templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. that will be used for renewal and add the renewal role to the Allowed Requester Security Roles, if you’re not using delegation for enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. If you’re using Active Directory as an identity provider and delegation for enrollment, you will need to grant to permissions separately on the CA and template to the Active Directory service accounts.