Certificate Stores

The certificate store feature in Keyfactor Command allows you to search for and inventory certificates from multiple types of certificate stores, import the certificates found in them into the Keyfactor Command database, add new certificates to the stores, and remove certificates from them. This feature uses Keyfactor orchestrators to communicate with the Keyfactor Command server. This section of the documentation describes the management tasks that can be done through the Management Portal. For information about installing and configuring the Keyfactor Universal OrchestratorClosed, see the .

Certificate stores are managed by configuring the store locations through the Management Portal, assigning an inventory schedule, and optionally assigning stores to containers (groups) for ease of management. You can create records for stores in the Management Portal manually or by using the Certificate Store Discovery feature. Not all certificate store types support discovery; check the details of the certificate store types or any custom-built extensions you’re using to determine whether discovery is supported.

Managing certificate stores requires that an appropriate instance of a Keyfactor orchestratorClosed is running in the environment and has been approved in the Management Portal (see Orchestrator Management). Java and PEMClosed certificate stores can be managed with an instance of the Keyfactor Java AgentClosed running on the machine where the Java and PEM certificate stores are located or with the Keyfactor Universal Orchestrator and the Keyfactor Remote File extension. Amazon Web Services (AWS), F5, Citrix/NetScaler, Windows (IIS) certificate stores and more can be managed with the Keyfactor Universal Orchestrator and an appropriate Keyfactor custom-built extension. Keyfactor offers many custom-built extensions for the Keyfactor Universal Orchestrator on GitHub:

Some packages that may be of special interest to long-term users of Keyfactor Command are:

Once your certificate stores have been inventoried and their certificates imported into Keyfactor Command, you can use the standard Management Portal features for managing certificates—such as Expiration Alerts (see Expiration Alerts)—to manage the certificates from the certificate store locations even if the certificates were not generated by your Keyfactor Command configured CAs.

Most certificate store types can use Privileged Access Management (PAM) or Keyfactor Secrets to manage passwords for the servers or devices on which the certificates stores are located and on the certificate stores themselves, where applicable.

Tip:  Click the help icon () next to the Certificate Stores page title to open the Keyfactor Software & Documentation Portal to this section. You will receive a prompt indicating:

You are being redirected to an external website. Would you like to proceed?

You can also find the help icon () at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.

Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).