Add a New Certificate Authority

Before you can add a new CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. record, you must have at least one Keyfactor Remote CA Gateway ConnectorClosed The Keyfactor Gateway Connector is installed in the customer forest to provide a connection between the on-premise CA and the Azure-hosted, Keyfactor managed Hosted Configuration Portal to provide support for synchronization, enrollment and management of certificates through the Azure-hosted instance of Keyfactor Command for the on-premise CA. It is supported on both Windows and Linux. that appears on the Gateway Connector page and shows as approved and connected (see Gateway Connectors).

Note:  

  • For the given EJBCA instance, validation will occur to ensure that the CA name provided is valid. An invalid name will prevent the CA from being saved in the Remote CA Portal.

  • For EJBCA, validation will occur to ensure that the version is 7.8.1 or greater and if not, an error message is displayed.

To create a new CA record:

  1. In the Hosted Configuration PortalClosed The Keyfactor Hosted Configuration Portal is used to configure connections between on-premise instances of the Keyfactor Gateway Connector and and on-premise CAs to make them available to Azure-hosted instance of Keyfactor Command.The portal is Azure-hosted and managed by Keyfactor. select the Certificate Authorities page.
  2. On the Certificate Authorities grid, click Add to create a new CA record.

  3. When you open the Certificate Authorities dialog, you will see several tabs. Complete the dialog using the following instructions:

    On the Basic tab:

    1. Enter the logical nameClosed The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two). of the CA you wish to connect to using the gateway connector(s) in the Logical Name field and click Add/Edit. If desired, click Import and select from CAs pre-configured on the Keyfactor Remote CA Configuration Portal server, if available.

      Figure 9: Select Gateway Connectors

    2. In the Gateway Connectors dialog, check the box next to one or more gateway connector(s) that should be associated with the CA you entered. You may choose to select more than one gateway connector for load balancing or redundancy purposes.

      Connections to Microsoft CAs are only supported from gateway connectors running on Windows.

      Figure 10: Select Gateway Connectors

    3. Click Save to save the gateway connector selection.

    On the Security tab you define which domain accounts can access the on-premise CA via the Keyfactor Remote CA Gateway and what level of permissions those users will have. The permission levels can be understood in the context of the standard Microsoft CA permission levels:

    • READ
      Enumerate and read contents of certificates. This is the equivalent of the Microsoft CA Read permission.
    • ENROLL
      Request certificates from the CA. This is the equivalent of the Microsoft CA Request Certificates permission.
    • OFFICER
      Perform certificate functions such as issuance and revocation. This is the equivalent of the Microsoft CA Issue and Manage Certificates permission.
    • ADMINISTRATOR
      Configure/reconfigure settings in the Keyfactor Remote CA Configuration Portal. This is similar to the Microsoft CA Manage CA permission.

    Valid permission settings are "Allow", "None", and "Deny". Security can be defined at the user or group level. "Deny" overrides any "Allow" permissions. "None" does not grant permissions, but it also does not deny them.

    Permission for users and groups needs to be set as follows:

    • The Keyfactor Remote CA Configuration Portal application pool service account (see Keyfactor Remote CA Configuration Portal Application Pool) needs "ADMINISTRATOR": "Allow" permissions. All management of the configuration of the Keyfactor Remote CA Gateway is done in the context of this user.
    • Users who will enroll for certificates from the CA through the Keyfactor Remote CA Gateway need "READ": "Allow" and "ENROLL": "Allow" permissions.
    • Users who will revoke certificates or approve or deny pending certificates outside of Keyfactor Command but connecting to the CA through the Keyfactor Remote CA Gateway need "READ": "Allow" and "OFFICER": "Allow" permissions.
    • If you’re using Keyfactor Command, the service account under which the application pool on the Keyfactor Command Management Portal server is running needs "READ": "Allow" permission and the service account under which the Keyfactor Command service (a.k.a. the timer service) is running needs "READ": "Allow" permission. "READ": "Allow" permission is needed for the application pool account to allow the Keyfactor Command Management Portal to display the status of the Keyfactor Remote CA Gateway as "online" on the Keyfactor Command Management Portal dashboard.
    • If you’re using Keyfactor Command and plan to use the renewal event handler in expiration alerts, the service account under which the Keyfactor Command service (a.k.a. the timer service) is running needs "ENROLL": "Allow" permission and the service account under which the application pool on the Keyfactor Command Management Portal server is running needs "ENROLL": "Allow" permission if you want to test alerts.
    • Depending on your configuration choice for Kerberos delegation for the Keyfactor Remote CA Gateway, you need one of these:

    To configure security identities:

    1. Click Add.

    2. In the Add Security Identity dialog, enter an Identity Name (user or group) in DOMAIN\username format at the top and select the appropriate radio buttons for the access permissions that identity should have.

      Figure 11: Configure Security Permissions

    3. Click Save to save the security identity.
    4. Repeat for each additional security identity.

    On the Templates tab, you configure the templates from the managed forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. that will be available for enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). through the Keyfactor Remote CA Gateway and associate them with product types from the on-premise CA. In the case of an on-premise Microsoft CA, the product type is also a templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.. Optionally, parameters can be configured for the templates. Neither the Microsoft CA nor the EJBCA CA make use of optional parameters for templates.

    Tip:  No synchronization of templates occurs between the managed forest and the on-premise forest.

    To add a new template record:

    1. Click Add.
    2. In the Add Template dialog, enter a Template Short Name for a template that exists in the managed forest. You can find the list of existing templates for the managed forest in Keyfactor Command on the Certificate Templates page. For more information about certificate templates in Keyfactor Command, see the the Keyfactor Command Reference Guide1.

    3. Enter a Product ID for a product that exists in the on-premise CA. For a Microsoft CA, this will be another Template Short Name—in this case for a template available for enrollment from the on-premise CA. The template names in the managed and on-premise forest do not need to match, though a close approximation helps to keep track of things. For an EJBCA CA, these will be certificate profiles configured for support on the end entity profile that you configure on the CA Connection Tab (e.g. SERVER). Product IDs will vary for custom CA extensions.

      The Product ID field is case sensitive—SERVER is not equal to Server.
      If Keyfactor has upgraded your hosted instance and advised you that you need to make template configuration changes to the EJBCA CA, the changes are as follows:

      For each template, modify the template ProductID from the current value of the certificate profile name (CertificateProfileName) to include the end entity profile name (EndEntityProfileName) in this format: " EndEntityProfileName_CertificateProfileName".

      Figure 12: Add a Template for a Microsoft CA

    4. To add an optional parameterClosed A parameter or argument is a value that is passed into a function in an application., click Add. Enter a Parameter Key and Parameter Value and Save. Parameters are configured on a template-by-template basis, so if you are entering more than one template with the same set of parameters, the parameters must be configured for each template.
      Note:  Neither the Microsoft CA nor the EJBCA CA makes use of optional parameters for templates.
    5. Click Save to save the template.
    6. Repeat for each additional template.

    On the Service Settings tab, configure the settings that control synchronization periods and timeouts for communications between the Keyfactor Remote CA Gateway and the on-premise CA. The settings include:

    • View Idle (Minutes)

      A timeout interval setting, defined in minutes, for certificate synchronization jobs between the on-premise CA and the Keyfactor Remote CA Gateway. The suggested setting is 8 minutes.

    • Full Scan Period (Hours)

      A scan period to specify how often, in hours, the Keyfactor Remote CA Gateway will perform a full synchronization from the on-premise CA to the gateway. The suggested setting is 24 hours.

    • Partial Scan Period (Minutes)

      A scan period to specify how often, in minutes, the Keyfactor Remote CA Gateway will perform a partial or incremental synchronization from the on-premise CA to the gateway. The suggested setting is 10 minutes.

    Figure 13: Configure Service Settings

    Note:  These settings control synchronization only between the on-premise CA and the Keyfactor Remote CA Gateway. Synchronization between the Keyfactor Remote CA Gateway and Keyfactor Command is configured separately in the Keyfactor Command Management Portal.

    On the Gateway Registration tab, configure information regarding the intermediate or root chain certificate for the SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificate installed on the Keyfactor Remote CA Gateway server (see Configure a Certificate Root Trust for the Keyfactor Remote CA Gateway). The settings include:

    • Store Name

      The store name where the chain certificate from the CA is located (e.g. CA for the Intermediate Certification Authorities store or Root for the Trusted Root Certification Authorities store).

    • Store Location

      The store location where the chain certificate from the CA is located (e.g. LocalMachine for local computer).

    • Thumbprint

      The thumbprint of the intermediate or root chain certificate from the CA.

    Figure 14: Configure Gateway Registration

    Note:  Contact your Keyfactor representative for assistance with these settings.

    On the CA Connection tab, configure connection settings specific to the on-premise CA. These will vary depending on the type of CA. Out-of-the-box, Microsoft and EJBCA CAs are supported.

    • HostnameClosed The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername).

      The FQDN of the on-premise CA.

    • Logical Name

      The logical name of the on-premise CA.

    • Use Default Credentials

      A value of True or False that indicates whether the service account that the gateway connector is running as (see Keyfactor Remote CA Gateway Connector Service) should also be used to make the connection to the CA for certificate synchronization (see Keyfactor Remote CA Configuration Portal CA Connection Account), enrollment and management. The gateway connector must be running as a domain account in order to set this value to True. If this value is set to False, the connection is made using the Username and Password provided in the CA connection information.

    • Username

      The domain service account (e.g. DOMAIN\username) from the on-premise Active Directory used to make the connection to the CA if UseDefaultCredentials is False (see Keyfactor Remote CA Configuration Portal CA Connection Account). This account must have Read, Enroll, and Manage CA permissions on the CA and will need Read and Enroll permissions for any on-premise templates that will be used for enrollment.

    • Password

      The password for the service account specified in Username.

    • Standalone

      A value of True or False that indicates whether the on-premise CA is a standalone CA.

    • Forest

      The Active Directory forest where the on-premise CA resides.

    • Max Errors

      A numeric value that indicates the number of times an attempt should be made to read records from the on-premise CA before the job ends with a failure (e.g. 5).

    • Batch Size

      A numeric value that indicates the number of records to retrieve from the on-premise CA in each batch of records during synchronization jobs (e.g. 100). If certificate records are especially large and errors are occurring on synchronization, it may help to reduce the batch size.

    Figure 15: Configure CA Connection for a Microsoft CA

    • End Entity Profile Name

      The name of the end entity profile in the EJBCA database that should be used for certificate synchronization and enrollment.

      • Once the remote EJBCA CA portal has been upgraded to be compatible with Keyfactor Command version 10, or higher, this field will not be used. Multiple end entity profiles will be supported, which will be configured in the templates section (see Templates Tab).

    • Certificate AuthorityClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Name

      The logical name of the EJBCA CA.

    • Username

      The end entity in the EJBCA database that should be associated with newly enrolled certificates.

      Tip:  An end entity record will automatically be created in the EJBCA database for this end entity if the end entity associated with the certificate specified in the Client Certificate setting has sufficient permissions to create end entities.

    • Password

      The password for the end entity specified by Username.

    • Client Certificate

      Certificate information for the certificate used to authenticate to the EJBCA database (see Keyfactor Remote CA Configuration Portal CA Connection Account) for synchronization, enrollment and management of certificates. Enter either the StoreName (e.g. My for the local computer personal store on Windows), StoreLocation, and Thumbprint for the certificate on the gateway connector server or the CertifcatePath and CertificatePassword for a PKCS12 file containing the certificate on the gateway connector server.

      Figure 16: Configure Client Certificate for an EJBCA CA

      The end entity associated with this certificate does not need to be the same end entity specified by the Username setting.

    • URL

      The URL pointing to your EJBCA server. If the URL provided does not have a virtual directory (/ejbca or otherwise) the /ejbca will be provided, otherwise it will use what is supplied in the URL.

    Figure 17: Configure CA Connection for an EJBCA CA

  4. Click Save to save the configuration.