Start the Gateway Services

The CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. gateway service runs on the Keyfactor Cloud Gateway server and manages communications between clients in the local environment and the Keyfactor Gateway Receiver for certificate synchronization and enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. At the conclusion of the configuration for the gateway, the main gateway service should start automatically. If you need to stop or restart the service:

1. On the Keyfactor Cloud Gateway server, open the Services MMC.

2. In the Services MMC confirm that the CA gateway service is set to a Startup Type of Automatic (if desired). If the service is not running, click the green arrow to start it. The service name for the main gateway service is:

   Keyfactor Managed CA Gateway

   In addition to the main gateway service, you will also see the Keyfactor Managed CA Sync Service. This service should only be started if you have opted to configure account (user and group) and/or template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. synchronization (see Create or Identify Accounts for Synchronization (Optional) and Create or Identify Templates).

Running the Gateway Service as an Alternate Account

The gateway services are installed to run as Network Service. The process for updating to run as a domain service account is described below.

1. Grant permissions on the gateway enrollment services object in Active Directory:

   1. Open ADSI Edit (adsiedit.msc).

   2. Connect to the Configuration naming context.

   3. Navigate to the Enrollment Services object:

      Configuration > Services > Public Key Services > Enrollment Services

   4. In the right pane, locate the enrollment services object for the gateway (based on the gateway’s CA name), right-click, and choose Properties.

   5. In the Properties dialog on the Security tab, add the service account you will use to run the gateway (or a group to which the service account belongs) and grant it Read permissions.

   6. Open Advanced permission editing.

   7. On the Permissions tab, select the service account and click Edit.

   8. Grant the required permissions:

      • List contents

      • Read all properties

      • Write all properties

      • Read permissions

      • Modify permissions

      • All validate writes

      

      Figure 716: Set Permissions for the Service Account

   9. Click OK to close the permission entry, OK to close Advanced, then OK to close Properties.

2. On the gateway server, open a command prompt using the “Run as administrator” option.

3. In the command prompt, type the following to unmap 8051 from Network Service so that you may add your custom service account:

   netsh http delete urlacl url=http://+:8051/
   netsh http add urlacl url=http://+:8051/ user="KEYEXAMPLE\svc_kyfgateway"

4. Open the Registry Editor:

   regedit

5. Navigate to:

   HKEY_LOCAL_MACHINE\SOFTWARE\Keyfactor\Keyfactor CA Gateway

6. Right-click on Keyfactor CA Gateway and choose Permissions... .

7. Add the service account user you referenced in step 3, and grant the user Full Control permission.

8. Open the Services MMC.

9. In the Services MMC, locate the gateway service:

   Keyfactor Managed CA Gateway

10. Right-click the gateway service name and select Properties.

11. In the Properties dialog on the Log On tab, Browse to locate the service account you referenced in step 3, enter the password for the service account, and click OK.

    Note:  You will see a notification that the service account has been granted Log On As A Service permissions.

12. Restart the gateway service.

13. If desired, repeat steps 9-12 for the sync service:

    Keyfactor Managed CA Sync Service