%20(500%20x%20162%20px)(1).png)
Lab 8: Certificate Stores
Certificate Store Lab Activity
Certificate stores and Orchestrators go hand in hand within the Keyfactor platform. You can't have a certificate store to manage without the appropriate orchestrator to interact with that store. In this lab we are going to dive into the configuration that supports the out of the box IIS capability and configure our orchestrator to manage our local IIS certificate store.
Certificate Store Types
Certificate Stores Types define the configuration elements required to add a new certificate store to Keyfactor. The certificate store type also defines job types supported by the certificate store. When deploying a new certificate store type, you should always reference the documentation for that particular type. Each type is going to require different types of configuration when creating the new type. Let's take a look at the Windows Certificate store type available by default in Keyfactor.
Navigate to Gear Icon > Certificate Store Types.
Double click on the Windows Certificate Store Type
On the Basic tab, we can see the supported job types and general store settings
On the Advanced tab, we can see additional options for how the certificate store type must be configured when adding a new store
On the Custom Fields tab, we can see a custom boolean field that must be set during configuration. These typically are configuration values expected by the orchestrator for ALL certificate stores of this type.
On the Entry Parameters tab, we can configure certificate store-specific values that may need to be passed to the orchestrator. You will find several configuration values here that are specific to the Windows Certificate Store Type.
Let's click cancel on this dialog and move to create a new certificate store so we can add certificates to it.
Certificate Stores
Certificate stores are the specific locations within an environment that contain certificates we want to inventory and manage. We need to explicitly add these stores to Keyfactor. There are a number of ways to do this:
API
The /CertificateStores endpoint can be used to script the creation of certificate stores if you have the details available in another system or file.Manual Entry
Certificate stores can be added on an ad hoc basis via the Portal UI. We will cover this method in this lab.Certificate Store Discovery
Some Certificate Store types support the discovery job type. This job type will accept input from the user in the portal for directories and file name patterns to match. Any file matching the criteria is added to the Discover tab and can be approved and added to the certificate store list from the discovery job results
Let's create a new certificate store to represent our local Windows Certificate store:
Navigate to Locations > Certificate Stores.
Click Add in the ribbon menu.
Create a new Certificate Store with the following settings:
Configuration | Value |
Category | Windows Certificate |
Container | Leave Blank |
Client Machine | command.kftrain.lab |
Store Path | My |
Orchestrator | COMMAND |
SPN With Port | False |
WinRM Protocol | http |
WinRM Port | 5985 |
Update Server Username | In the popup window, choose Load from Keyfactor Secrets, and enter kftrain\kf_orch for both values. |
Update Server Password | In the popup window, choose Load from Keyfactor Secrets, and enter Password1 for both values. |
Use SSL | False |
Inventory Schedule | Interval every 5 minutes |
Note: Double check everything before saving, as some settings may revert to default after setting the username, password, or schedule.
Click Save.
Now that we've created a store, our inventory schedule will run every 5 minutes. This will query the certificate store and report back all certificates located in the personal store. Let's check out the personal store on this machine so we can compare it to our query results.
Click Start > Run ( or Win + R).
Enter certlm.msc.
Click Run.
Navigate to the Personal folder.
Click Certificates.
Note: If your inventory is blank, you may need to restart the Orchestrator Service. By Default, if an orchestrator is not approved, it will wait 30 minutes before checking if it has been approved. You can force the orchestrator to check for a recent approval by restarting the service from the Windows Services dialog.
On this screen, we can see all of the certificates contained in the personal store on our local machine. We can compare this to all certificates found in the list by going back to the portal, selecting the certificate store we just created and clicking the View Inventory button in the ribbon.
Now that we've created our store and inventoried the existing certificates, let's place a new certificate in this store. Certificates can be placed directly into a store using the certificate search page or as a result of an enrollment. We'll use the certificate search page for this exercise.
Navigate to Certificates > Certificate Search.
Select any certificate.
Right Click the Certificate and choose Add to certificate Store.
The Select Certificate Store Locations window will open and allow the search of supported certificate stores (based on certificate store configuration.)
Select our newly created Windows Certificate store.
Click Include and Close.
The Add to Certificate Stores dialog will open. This dialog allows for scheduling of your add job and setting any entry-level parameters (based on certificate store type). We will leave these on their defaults for this lab.
Click Save. This will generate a new Orchestrator Job for the orchestrator to complete.
Navigate to Orchestrators > Jobs to see the WinCertStore job waiting to be executed.
When the job completes, refresh our Personal folder to see the newly added certificate.