In order for Keyfactor Command to be able to synchronize certificates from the CAs to the Keyfactor Command database, the service account under which Keyfactor Command makes a connection to the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. must have permissions to read the CA databases. For full Keyfactor Command functionality, additional permissions are needed. The permissions needed vary depending on the type of installation, the type of CA, and the type of authorization you intend to configure to allow Keyfactor Command and users in Keyfactor Command to interact with the CA.
 A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. must have permissions to read the CA databases. For full Keyfactor Command functionality, additional permissions are needed. The permissions needed vary depending on the type of installation, the type of CA, and the type of authorization you intend to configure to allow Keyfactor Command and users in Keyfactor Command to interact with the CA.
Microsoft CAs
When configuring Keyfactor Command to access a Microsoft CA, you can choose to enable the Use Explicit Credentials option.
- 
                                                                With Explicit Credentials Enabled: You provide specific credentials for accessing the Microsoft CA. All management and enrollment  Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). tasks for that CA are performed using these credentials. Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). tasks for that CA are performed using these credentials.
- 
                                                                With Explicit Credentials Disabled: Tasks are performed under one of the following contexts based on the settings and connection type: - 
                                                                        Directly Connected Microsoft CAs (Delegation Not Enabled): The Management Portal/Keyfactor API  An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. application pool service account. An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. application pool service account.
- 
                                                                        Directly Connected Microsoft CAs (Delegation Enabled): The Active Directory user logged into Keyfactor Command. Delegation is supported only with Active Directory as an identity provider and Microsoft CAs in the local forest  An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. or forests with a two-way trust. An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. or forests with a two-way trust.
- 
                                                                        CAs Connected via the CA Connector Client (Domain Service Account): The domain service account under which the CA Connector  The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client service runs. The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client service runs.
- 
                                                                        CAs Connected via the CA Connector Client (Network Service Account): The machine account of the CA Connector Client server. 
 
- 
                                                                        
The users and service account(s) you will be using to connect to your Microsoft CA(s) from Keyfactor Command need some set of the following permissions on the CA, based on the configuration of authorization for the CA:
- Read
 To support CA synchronization
- Issue and Manage Certificates
 To support certificate revocation and key recovery
- Manage CA
 To support CRL A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. publication following revocation A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. publication following revocation
- Request Certificates
 To support certificate enrollment through Keyfactor Command
                                                                     
                                                                
Figure 580: Microsoft CA Permissions
Table 117: Microsoft CA Permission Matrix provides information on what permissions are required on the Microsoft CA based on possible authorization configurations.
In the management console for each CA that Keyfactor Command will be interacting with, open the properties for the CA and grant the users and service account(s) for Keyfactor Command the appropriate permissions for your environment before continuing.
 A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. and CSR
 A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. and CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment through the Management Portal, the user initiating the enrollment in the Management Portal must be granted “Request Certificates” permission in the CA if enrollment delegation is enabled. In many environments, all Authenticated Users are granted this permission, allowing the Management Portal users to inherit the permission.
 A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment through the Management Portal, the user initiating the enrollment in the Management Portal must be granted “Request Certificates” permission in the CA if enrollment delegation is enabled. In many environments, all Authenticated Users are granted this permission, allowing the Management Portal users to inherit the permission.Table 117: Microsoft CA Permission Matrix
|  Use Explicit Credentials | 
                                                                             
                                                                             
                                                                             | 
                                                                             
                                                                             
                                                                             | 
                                                                             
                                                                             
                                                                             | 
                                                                             
                                                                             
                                                                             | |
|---|---|---|---|---|---|
| Explicit CA-Specific User | Read Issue & Manage Certs Manage CA Request Certs | n/a | n/a | n/a | n/a | 
| Keyfactor Command Service Account | None | Read Request Certs1 | Read Request Certs2 | Read Request Certs3 | Read Request Certs4 | 
| Keyfactor API Application Pool Account5 | None | Read Issue & Manage Certs Manage CA Request Certs6 | Read Issue & Manage Certs Manage CA Request Certs7 | Read Manage CA Request Certs | Read Issue & Manage Certs Manage CA Request Certs | 
| CA Connector Client Service Account | None | n/a | n/a | n/a | Read Issue & Manage Certs Manage CA Request Certs | 
| Individual Users | None | Read Issue & Manage Certs Request Certs | ReadRequest Certs | Read Issue & Manage Certs | None | 
EJBCA CAs
Management (e.g. revocation, certificate synchronization) and enrollment requests to an EJBCA CA are made in the context of the end entity associated with the client certificate selected in each CA configuration in the Keyfactor Command Management Portal to provide authentication to the EJBCA CA (see Acquire a Client Certificate for EJBCA CA Authentication). The access rule created or used for this needs to grant sufficient permissions to allow the end entity to synchronize certificates. For full functionality, it needs the following permissions:
- 
                                                                /administrator/ To support Keyfactor Command making API requests to the EJBCA CA 
- 
                                                                /ca/[your_ca_name]/ To support Keyfactor Command access to your CA 
- 
                                                                /ca_functionality/create_certificate/ To support certificate enrollment through Keyfactor Command 
- 
                                                                /ca_functionality/create_crl/ To support CRL publication following revocation 
- 
                                                                /ca_functionality/view_ca/ To support retrieval of CA information 
- 
                                                                /ca_functionality/view_certificate/ To support CA synchronization 
- 
                                                                /ca_functionality/view_certificate_profiles/ To support template  A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. import A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. import
- 
                                                                /endentityprofilesrules/[your_end_entity_profile_name]/create_end_entity/ To support creation of end entities (a new end entity is created for each Keyfactor Command certificate enrollment unless the Enforce Unique DN option is enabled and the new certificate's DN  A distinguished name (DN) is the name that uniquely identifies an object in a directory. In the context of Keyfactor Command, this directory is generally Active Directory. A DN is made up of attribute=value pairs, separated by commas.  Any of the attributes defined in the directory schema can be used to make up a DN. matches that of an existing certificate) A distinguished name (DN) is the name that uniquely identifies an object in a directory. In the context of Keyfactor Command, this directory is generally Active Directory. A DN is made up of attribute=value pairs, separated by commas.  Any of the attributes defined in the directory schema can be used to make up a DN. matches that of an existing certificate)
- 
                                                                /endentityprofilesrules/[your_end_entity_profile_name]/edit_end_entity/ To support certificate enrollment with the Enforce Unique DN option through Keyfactor Command and certificate renewal through Keyfactor Command 
- 
                                                                /endentityprofilesrules/[your_end_entity_profile_name]/revoke_end_entity/ To support certificate revocation through Keyfactor Command 
- 
                                                                /endentityprofilesrules/[your_end_entity_profile_name]/view_end_entity/ To support certificate enrollment through Keyfactor Command 
- 
                                                                /ra_functionality/create_end_entity To support creation of end entities (a new end entity is created for each Keyfactor Command certificate enrollment unless the Enforce Unique DN option is enabled and the new certificate's DN matches that of an existing certificate) 
- 
                                                                /ra_functionality/edit_end_entity To support certificate enrollment with the Enforce Unique DN option through Keyfactor Command and certificate renewal through Keyfactor Command 
- 
                                                                /ra_functionality/revoke_end_entity To support certificate revocation through Keyfactor Command 
- 
                                                                /ra_functionality/view_end_entity To support certificate enrollment through Keyfactor Command 
- 
                                                                /system_functionality/view_administrator_privileges To support overall functionality 
You may either create a new access rule that limits access to just these required permissions, or use an existing access rule. In either case, you need to add the certificate or OAuth client used to authenticate Keyfactor Command to the EJBCA CA as a member of that access rule.
 Use Explicit Credentials
 Use Explicit Credentials 
                                                            