Configure the Universal Orchestrator for Remote CA Management

If you've opted to enable the remote CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. management functionality for the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers., further configuration is needed on the orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. to configure the CA(s) that the orchestrator will manage.

To configure CAs for the orchestrator:

1. On the orchestrator, open a text editor (e.g. Notepad) using the “Run as administrator” option.

2. In the text editor, browse to open the extensionoptions.json file for the Universal Orchestrator. The file is located in the configuration directory within the install directory, which is the following directory by default:

   C:\Program Files\Keyfactor\Keyfactor Orchestrator\configuration

3. In the extensionoptions.json file, locate the CertificateAuthority section.

   

   Figure 637: CA Configuration Settings

4. Either set the AdditionalCertificateAuthoritiesAllowed value to true or populate the CertificateAuthorities section with your CA information (see Table 936: Remote CA Configuration Parameters).
5. Save the file.
6. Restart the orchestrator service (see Start the Universal Orchestrator Service).

Table 936: Remote CA Configuration Parameters

Parameter	Description
Batch Size	An integer that specifies the number of certificate cache records to read from the Keyfactor Command in each data retrieval batch. The default is 10,000. Tip:  Certificate cache information from Keyfactor Command is retrieved from and stored on the orchestrator to allow the orchestrator to calculate which records represent changes and return only those to Keyfactor Command on requests from Keyfactor Command for CA synchronization.
Cache Hours	An integer that specifies the number of hours for which to cache certificate information from Keyfactor Command on the orchestrator before clearing it. The default is 3.
Record Count Limit	An integer that specifies the number of records to read from the CA(s) in each synchronization batch. The default is 5,000.
Max Error Count	An integer that specifies the number of times an attempt should be made to read records from the CA before the synchronization job ends with a failure. The default is 5.
Additional Certificate Authorities Allowed	A Boolean that sets whether any CAs available to the orchestrator (to which the orchestrator has network access and sufficient permissions) should be considered as managed (True) or whether only those CAs specifically listed in the CertificateAuthorities parameter should be considered as managed (False). If you set this value to True, you do not need to populate the CertificateAuthorities value.
Certificate Authorities	An array of the certificate authorities that should be considered managed by the orchestrator. The certificate authority information includes: Parameter Description Forest The name of the Active Directory forest in which the CA resides. Hostname The fully qualified domain name of the CA. Logical Name The logical name of the CA.