Process Flow

The following brief flow of the process provides an understanding into how the Keyfactor Mac Auto EnrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). works.

  1. The agent launches when a user logs into their Mac device.
  2. The user is prompted for their username and password (see Figure 1: Mac Agent Client Login).
  3. The agent captures the user credentials from the Mac device, and, via the agent APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., sends the credentials to the Keyfactor Command server.
  4. The Keyfactor Command server then searches Active Directory to find the certificate templates for which auto-enroll is enabled for the logged-on user.
  5. A list of the templates with the auto-enroll privilege for the logged-on user is then sent back to the agent.
  6. The agent then searches the Mac keychain for the certificates in the keychain that have been issued based on each returned templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.. The keychain is where the certificates and public and private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. pairs reside on the Mac.
  7. The agent then determines if any existing certificates are expired or within the window of expiration as defined by the template.
  8. If the agent has determined that an existing certificate needs replacement or a new certificate is needed (not replacing an existing certificate), the agent then creates the public and private key pairClosed In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. on the MAC device (On-Device Key Generation) and sends the CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. (certificate signing requestClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. containing the public keyClosed In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key.) back to the Keyfactor Command server to perform the auto- enrollment process for each of the certificates. The private key is marked as non-exportable and does not leave the Mac device.
  9. The Keyfactor Command server sends the signed certificate back to the Mac device.
  10. The agent then deploys the certificate in the Mac keychain.

    11. Figure 1: Mac Agent Client Login