The Enrollment
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). function in the Keyfactor Command Management Portal allows PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. administrators to request certificates in the following ways:
-
CSR Enrollment: Submit a certificate signing request
A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. (see CSR Enrollment). -
PFX Enrollment: Enter request details to receive a certificate as a PFX
A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. file. If enrollment succeeds and no manager approval is required, the certificate is immediately available for download or installation into a certificate store (see PFX Enrollment). -
ODKG Enrollment: Enroll through on-device key generation (ODKG), formerly known as reenrollment, directly into a certificate store (see ODKG - On Device Key Generation).
-
CSR Generation: Generate a certificate signing request within Keyfactor Command. The private key
Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. from this process is securely stored—encrypted—in the Keyfactor Command database (see CSR Generation).
A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. (see Workflow Definitions).See Application Settings: Enrollment Tab for configuration settings that apply to the enrollment functions in the Keyfactor Command Management Portal. Some enrollment functions are also affected by enrollment pattern settings. See Configuring System-Wide Settings and Adding or Modifying an Enrollment Pattern for more information.
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. itself in order to enroll via the CA in Keyfactor Command. For more information, see Grant the Keyfactor Command Users and Service Account(s) Permissions on the CAs. An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. in which Keyfactor Command is installed and any forests in a two-way trust with this forest. To do a cross-forest enrollment (with a forest in a two-way trust with the Keyfactor Command forest), Keyfactor Command requires that the root and intermediate CA certificates from the trusted forest are installed in the trusted root/intermediate stores in the Keyfactor Command server. Keyfactor Command installations in containers under Kubernetes required a CA connector to communicate with a Microsoft CA.