Create Service Accounts for the Keyfactor Remote CA Gateway

The Keyfactor Remote CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Gateway makes use of up to two service accounts to allow it to communicate with the on-premise CA(s) and the Keyfactor Command server. The Keyfactor Gateway ConnectorClosed The Keyfactor Gateway Connector is installed in the customer forest to provide a connection between the on-premise CA and the Azure-hosted, Keyfactor managed Hosted Configuration Portal to provide support for synchronization, enrollment and management of certificates through the Azure-hosted instance of Keyfactor Command for the on-premise CA. It is supported on both Windows and Linux. Service on the Keyfactor Remote CA Gateway ConnectorClosed The Keyfactor Gateway Connector is installed in the customer forest to provide a connection between the on-premise CA and the Azure-hosted, Keyfactor managed Hosted Configuration Portal to provide support for synchronization, enrollment and management of certificates through the Azure-hosted instance of Keyfactor Command for the on-premise CA. It is supported on both Windows and Linux. server runs as one service account. A second service account may be configured in the Keyfactor Remote CA Configuration Portal to allow the Keyfactor Remote CA Gateway to make a connection to the CA to read certificate records, enroll for new certificates, and perform management functions such as revocation. Under some circumstances, the same service account may be used for both roles.

  • Keyfactor Remote CA Gateway Connector Service

    • Windows

      When the Keyfactor Remote CA Gateway Connector is installed on Windows, you may use either the built-in Network Service account or a custom service account to run the service. The custom service account may be either an Active Directory service account or a local machine account. Of the custom service account choices, an Active Directory account is more typically used unless the machine is not domain-joined. If you use an Active Directory service account, it needs to be a service account in the forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. in which the Keyfactor Remote CA Gateway Connector is installed.

      The Keyfactor Gateway Connector Service on the server on which the Keyfactor Remote CA Gateway Connector is installed runs as the service account you select for this role. The service account requires local "Log on as a service" permissions.

    • Linux

      For the purposes of this documentation, it is assumed that Linux machines will be non-domain joined and will use a local account to run the Keyfactor Remote CA Gateway Connector.

      For Linux systems, Keyfactor recommends running the service as an account other than root. The default account of keyfactor-gatewayconnector will be created automatically during the install if the force option is used. If you prefer not to use the force option, you may create a local service account before running the installation script.

  • Keyfactor Remote CA Configuration Portal Application Pool

    The IIS application pool for the Keyfactor Remote CA Configuration Portal runs in the context of an Active Directory user in the Keyfactor-managed forest. This application pool user needs to be granted permissions to manage the Keyfactor Remote CA Configuration Portal (see Security Tab); all management tasks in the portal are done in the context of this user. This service account information will be provided to you by your Keyfactor representative.

  • Keyfactor Remote CA Configuration Portal CA Connection Account

    • Microsoft CAs

      When each Microsoft CA is configured in the Keyfactor Remote CA Configuration Portal, a service account from the on-premise forest must be configured to allow a connection to be made from the Keyfactor Remote CA Gateway (and thus Keyfactor Command) to the on-premise CA via the Keyfactor Remote CA Gateway Connector (see CA Connection Tab). If the Keyfactor Remote CA Gateway Connector has been installed to run using an Active Directory service account, this same account may be used for the CA connection role. If the Keyfactor Remote CA Gateway Connector is running as a local account, an Active Directory service account needs to be created for this role.

    • EJBCA CAs

      When each EJBCA CA is configured in the Keyfactor Remote CA Configuration Portal, a client certificate is selected to authenticate the Keyfactor Remote CA Gateway Connector to the Keyfactor Gateway Connector Service and Keyfactor Command (see CA Connection Tab). This certificate needs to be issued from the EJBCA CA and associated with an EJBCA end entity. An end entity may be created specifically for this role, or an existing end entity may be used. For Windows, the certificate needs to either be installed in the local computer personal store of the gateway connector server or hosted in a file path on the gateway connector server. For Linux, the certificate needs to be hosted in a file path on the gateway connector server.

The service accounts need to be created prior to installation of the Keyfactor Remote CA Gateway Connector software (except as noted above for installations on Linux), and the person installing the Keyfactor Remote CA Gateway Connector software and configuring the CA(s) in the Keyfactor Remote CA Configuration Portal needs to know the domain (if applicable), username and password of each service account.