Keyfactor ACME Architecture

The elements of Keyfactor ACME are:

• Microsoft SQL Server:

  • The Keyfactor ACME SQL database holds the Keyfactor ACME accounts, application settings, certificates, orders, authorizations, nonces, and secrets.
  • The Keyfactor ACME database is a separate schema that can be loaded on the same database server as Keyfactor Command.

  • Multiple Keyfactor ACME servers can use a common database to allow for load balancing. For more information on configuring Keyfactor ACME load balancing, see Configuring Keyfactor ACME for Load Balancing.

  • When using SQL Authentication to configure a Keyfactor ACME server, the current user and the application pool user become the only users that can run any of the Command Line Tool commands. When Windows authentication is used, the application pool user is granted permissions to access the SQL Server and the Keyfactor ACME database.

  • By default, sensitive data—such as EAB HMAC keys—is securely stored in the Keyfactor ACME database using SQL encryption. However, an additional layer of security can be added with application-level encryption (see Encryption).

• Authentication and Authorization:

  • Keyfactor ACME uses OAuth token authentication for two purposes:

    1. Client Authentication: To authenticate clients to the Keyfactor ACME server when acquiring EAB keys.
    2. Server Authentication: To authenticate Keyfactor ACME to Keyfactor Command when enrolling for certificates.

    These authentication processes can use different identity providers. During setup, configuration details are provided either via parameters or interactively.

  • The client account configured to authenticate to Keyfactor Command must have Certificates > Enrollment > Csr and Certificates > Enrollment > Read permissions in Keyfactor Command.

  • During configuration, authentication to and authorization for the Keyfactor Command server are verified. The Keyfactor ACME configuration tool checks the authentication type enabled on the Keyfactor Command server using the provided URL. If OAuth is not supported, the configuration process will not continue.

  Important:  The identity provider used to authenticate to Keyfactor Command must be defined as an identity provider in Keyfactor Command.
• The Keyfactor API endpoint An endpoint is a URL that enables the API to gain access to resources on a server. is used to communicate between Keyfactor ACME and Keyfactor Command to perform the certificate request and renew tasks.
• An application pool user identity is used to run the Keyfactor ACME application.
• The hostname of the Keyfactor ACME server is used to build the URLs to which the ACME client can make calls. For more information on configuring Keyfactor ACME load balancing, see Configuring Keyfactor ACME for Load Balancing.
• A virtual directory is created under the IIS default web site using Keyfactor ACME authentication. The default value is ACME (e.g. https://acmeserver.keyexample.com/ACME), but that can be changed by passing another value to the configuration tool.