Lab 2: CA Synchronization and Monitoring

CA Sync Lab Activity

Welcome to Lab 2.  In this lab, we will be configuring Keyfactor to sync with our local Microsoft CA. Below are the steps required to import and set a sync schedule for a CA located within the same trusted forest as the Keyfactor Portal. First, open the browser in your lab and navigate to the Keyfactor Command Portal.

Local CA Sync

1. In the Keyfactor Command Portal, Navigate to Locations > Certificate Authorities.

2. You’ll see that the KFTRAIN-LAB-CA Microsoft CA has been imported automatically during the installation process. Note: Keyfactor Command will import CA records for the CAs that are in the same domain as your Keyfactor Command Server.

3. Double click the KFTAIN-LAB-CA to set the scan intervals.

   • Full scan: Choose Weekly, and identify the day and time of your choice. This scan will read all certificates and requests within the CA database and synchronize them into Command.

   • Incremental Scan: Set the Incremental scan to Interval for every hour. This scan reads all certificates and requests in the CA database that have been generated since the last full or incremental scan.

4. Click Advanced in the ribbon menu.

5. Ensure Delegate Management Operations and Delegate Enrollment are checked.

6. Click Test and Save. 

When the scans begin, the data will populate on the Certificate Authorities page.

Note: Delegate Management Operations is not required for synchronization as we provided our service account (kf_service) read access to the CA.  This configuration option will enable us to approve pending certificate requests in a later lab.  Without this setting, Keyfactor would attempt to approve pending requests using the kf_service account which does not have the appropriate permissions to approve requests on the CA.

Bonus Lab: Adding a Remote CA

Remote CAs can be explicitly added as well.  A remote CA is defined as a CA in a different forest than the Keyfactor Application so they will not automatically import. In addition to explicitly adding the host name and logical name of the CA, we may need to set specific credentials to access the CA. 

When a CA is in the same forest (or a forest with appropriate trust) adding explicit credentials is not always required.  That is because we can grant access to the CA for the Keyfactor service account(s).  However, if appropriate trust is not established for the two forests, we can set a credential from the CAs forest for Keyfactor to use to traverse the network.

Try it out for yourself. Can you add a remote ca in Keyfactor with the following attributes?

Note: This bonus lab is for instructional purposes only, and is included to understand how to add a remote CA. The bonus lab will produce an error that can be ignored.

CRL Monitoring

1. Navigate to Alerts > Revocation Monitoring.

2. Click Add to create a new monitoring location.

3. In the Revocation Endpoint Settings dialog, type KFTrain-LAB-CA-CRL as a display name for the CRL location.

4. Select CRL in the Endpoint Type dropdown.

5. In the Location field, type a URL for the CRL location.

   • http://pki.kftrain.lab/pki/kftrain-lab-ca.crl

6. In the Show on Dashboard section, click the Warn check box.

7. Enter the number of weeks, days, or hours of your choice ahead of expiration for warning flags to begin appearing on the Management Portal dashboard.

8. In the Monitoring Execution Schedule section, configure the monitoring execution schedule. 

9. Enter the schedule of your choice.

10. Uncheck the Use Workflows checkbox.

11. In the Email Reminder (CRL only) section, click the Warn check box.

12. Enter the number of days ahead of expiration that you would like the email reminders to begin sending.

13. In the Recipients section, add the email addresses of the users and/or groups who should receive email notifications. In the case of your lab this will be your email address.

14. Click Save.