Certificate Stores

The certificate store feature in Keyfactor Command allows you to search for and inventory certificates from multiple types of certificate stores, import the certificates found in them into the Keyfactor Command database, add new certificates to the stores, and remove certificates from them. This feature uses Keyfactor orchestrators to communicate with the Keyfactor Command server. This section of the documentation describes the management tasks that can be done through the Management Portal. For information about installing and configuring the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers., see the .

Certificate stores are managed by configuring the store locations through the Management Portal, assigning an inventory schedule, and optionally assigning stores to containers (groups) for ease of management. You can create records for stores in the Management Portal manually or by using the Certificate Store Discovery feature. Not all certificate store types support discovery; check the details of the certificate store types or any custom-built extensions you’re using to determine whether discovery is supported.

Managing certificate stores requires that an appropriate instance of a Keyfactor orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. is running in the environment and has been approved in the Management Portal (see Orchestrator Management). Java and PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. certificate stores can be managed with an instance of the Keyfactor Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. running on the machine where the Java and PEM certificate stores are located or with the Keyfactor Universal Orchestrator and the Keyfactor Remote File extension. Amazon Web Services (AWS), F5, Citrix/NetScaler, Windows (IIS) certificate stores and more can be managed with the Keyfactor Universal Orchestrator and an appropriate Keyfactor custom-built extension. Keyfactor offers many custom-built extensions for the Keyfactor Universal Orchestrator on GitHub:

Some packages that may be of special interest to long-term users of Keyfactor Command are:

• AWS Certificate Store Manager

• Citrix NetScaler Certificate Store Manager

• F5 Certificate Store Manager

• IIS Certificate Store Manager

• Remote File Certificate Store Management (Java Keystores, PKCS12 files, PEM files, DER A DER format certificate file is a DER-encoded binary certificate. It contains a single certificate and does not support storage of private keys. It sometimes has an extension of .der but is often seen with .cer or .crt. files, IBM Key Database files)

Once your certificate stores have been inventoried and their certificates imported into Keyfactor Command, you can use the standard Management Portal features for managing certificates—such as Expiration Alerts (see Expiration Alerts)—to manage the certificates from the certificate store locations even if the certificates were not generated by your Keyfactor Command configured CAs.

Most certificate store types can use Privileged Access Management (PAM) or Keyfactor Secrets to manage passwords for the servers or devices on which the certificates stores are located and on the certificate stores themselves, where applicable.