Keyfactor ACME Architecture

The elements of Keyfactor ACME are:

• Microsoft SQL Server:

  • The Keyfactor ACME SQL database holds the Keyfactor ACME accounts, application settings, certificates, orders, authorizations, nonces, and secrets.
  • The Keyfactor ACME database is a separate schema that can be loaded on the same database server as Keyfactor Command.

  • Multiple Keyfactor ACME servers can use a common database to allow for load balancing. For more information on configuring Keyfactor ACME load balancing, see Configuring Keyfactor ACME for Load Balancing on Windows.

  • By default, sensitive data—such as EAB HMAC keys—is securely stored in the Keyfactor ACME database using SQL encryption. However, an additional layer of security can be added with application-level encryption (see Application-Level Encryption).

  • For Windows installs, when using SQL Authentication to configure a Keyfactor ACME server, the current user and the application pool user become the only users that can run any of the Command Line Tool commands. When Windows authentication is used, the application pool user is granted permissions to access the SQL Server and the Keyfactor ACME database.

• Authentication and Authorization:

  • Keyfactor ACME uses OAuth token authentication for two purposes:

    1. Client Authentication: To authenticate clients to the Keyfactor ACME server when acquiring EAB keys.

    2. Server Authentication: To authenticate Keyfactor ACME to Keyfactor Command when enrolling for certificates.

       Note:  The authentication mechanism from Keyfactor ACME to Keyfactor Command can optionally be configured to Basic Authentication instead of OAuth, if desired, but this requires that the Keyfactor Command implementation is configured to Basic Authentication only, not Windows Authentication for the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoint An endpoint is a URL that enables the API to gain access to resources on a server..

    These authentication processes can use different identity providers. During setup, configuration details are provided for this information.

  • The client account configured to authenticate to Keyfactor Command must have Certificates > Enrollment > Csr and Certificates > Enrollment > Read permissions in Keyfactor Command.

  • During configuration, authentication to and authorization for the Keyfactor Command server are verified. The authentication type enabled on the Keyfactor Command server is validated using the provided URL. If OAuth or Basic Authentication is not supported, the configuration process will not continue.

  Important:  The OAuth identity provider used to authenticate to Keyfactor Command must be defined as an identity provider in Keyfactor Command.
• The Keyfactor API is used to communicate between Keyfactor ACME and Keyfactor Command to perform the certificate request, renew, and revocation tasks.
• The hostname of the Keyfactor ACME server is used to build the URLs to which the ACME client can make calls. For more information on configuring Keyfactor ACME load balancing, see Configuring Keyfactor ACME for Load Balancing on Windows.
• A virtual directory is created on the web server using Keyfactor ACME authentication. The default value is ACME (e.g. https://acmeserver.keyexample.com/ACME), but that can be changed by passing another value during configuration.
• On Windows, an application pool user identity is used to run the Keyfactor ACME application.