Your Microsoft and EJBCA certificate authorities (CAs) are defined in the Management Portal to support synchronization to the Keyfactor Command database and support enrollment
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. Microsoft CAs in the local forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. in which Keyfactor Command is installed or in a forest in a two-way trust with this forest may be imported from Active Directory or manually configured. Other Microsoft CAs and EJBCA CAs need to be manually configured. During initial provisioning, any domain-joined Microsoft CAs in the primary Active Directory forest will be imported automatically by the Keyfactor Command configuration wizard.
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. must be granted appropriate permission to the CA database as per Grant the Keyfactor Command Users and Service Account(s) Permissions on the CAs.Certificate Authorities that need to be added manually include:
The majority of CA-related functions within Keyfactor Command are supported by both EJBCA and Microsoft CAs. Table 19: CA Function Matrix includes a list of CA-related functions and the support provided by EJBCA and Microsoft CAs.
|
EJBCA CA |
Microsoft CA |
|
|---|---|---|
| CA Synchronization |
|
|
| Template1 Import |
|
|
| CA Threshold Monitoring (Issuance) |
|
|
| CA Threshold Monitoring (Failures) |
|
|
| CA Health Monitoring |
|
|
| Certificate Enrollment (PFX) |
|
|
| Certificate Enrollment (CSR) |
|
|
| Certificate Revocation |
|
|
| CRL Publishing Following Certificate Revocation |
|
|
| Keyfactor Command Private Key Retention and Key Recovery |
|
|
| CA-Level Key Archiving (* no longer supported as of Keyfactor Command v10) | ||
| CA-Level Key Recovery |
|
|
| Approvals in Workflow Builder |
|
|
| CA-Level Approvals with Pending, Issued and Denied Alerts |
|
|
| Supports use of Restrict Allowed Requesters for access control |
|
|
| Requires use of Restrict Allowed Requesters for access control |
|
|
| Requests to the CA can be done in the context of the user initiating the request |
|
|
| Requests to the CA can be done in the context of a single service account2 |
|
|
| Supports use of Universal Orchestrator to access remote CA |
|
Tips on how to configure various types of CAs:
Certificate Authority Operations
During installation of Keyfactor Command, CA records are created for any Microsoft CAs found in the local forest in which Keyfactor Command is installed. If you have Microsoft CAs in separate forests in a two-way trust with the forest in which Keyfactor Command is installed, you will need to use the import option to import CA records from those forests. If you have Microsoft CAs in any other configuration or EJBCA CAs, you will need to manually configure CA records for them.
Figure 242: Certificate Authorities Grid
) next to the You can also find the help icon (
) at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.
Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).