The Windows Certificate Store Orchestrator Extension implements two certificate store types. 1) “WinCert” which manages certificates in a Windows local machine store, and 2) “IISU” which manages certificates and their bindings in a Windows local machine store that are bound to Internet Information Server (IIS) websites. These extensions replace the now deprecated “IIS” cert store type that ships with Keyfactor Command. The “IISU” extension also replaces the “IISBin” certificate store type from prior versions of this repository. This orchestrator extension is in the process of being renamed from “IIS Orchestrator” as it now supports certificates that are not in use by IIS.
This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme.
The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
WinCertStore Orchestrator is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
If you have existing IIS stores with the built-in IIS types, and plan to upgrade to Keyfactor Command 11 or later, you will need to migrate from the legacy store types to the IISU and WinCert store type defined in this repository.
You can find the guide and migration scripts in this repository, located here: Legacy IIS Migration
The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1
The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running.
Operation | Win | Linux |
---|---|---|
Supports Management Add | ✓ | |
Supports Management Remove | ✓ | |
Supports Create Store | ||
Supports Discovery | ||
Supports Reenrollment | ✓ | |
Supports Inventory | ✓ |
This orchestrator extension has the ability to connect to a variety of supported PAM providers to allow for the retrieval of various client hosted secrets right from the orchestrator server itself. This eliminates the need to set up the PAM integration on Keyfactor Command which may be in an environment that the client does not want to have access to their PAM provider.
The secrets that this orchestrator extension supports for use with a PAM Provider are:
Name | Description |
---|---|
Server Username | The user id that will be used to authenticate into the server hosting the store |
Server Password | The password that will be used to authenticate into the server hosting the store |
It is not necessary to use a PAM Provider for all of the secrets available above. If a PAM Provider should not be used, simply enter in the actual value to be used, as normal.
If a PAM Provider will be used for one of the fields above, start by referencing the Keyfactor Integration Catalog. The GitHub repo for the PAM Provider to be used contains important information such as the format of the json
needed. What follows is an example but does not reflect the json
values for all PAM Providers as they have different "instance" and "initialization" parameter names and values.
General PAM Provider Configuration
To use a PAM Provider to resolve a field, in this example the Server Password will be resolved by the Hashicorp-Vault
provider, first install the PAM Provider extension from the Keyfactor Integration Catalog on the Universal Orchestrator.
Next, complete configuration of the PAM Provider on the UO by editing the manifest.json
of the PAM Provider (e.g. located at extensions/Hashicorp-Vault/manifest.json). The "initialization" parameters need to be entered here:
"Keyfactor:PAMProviders:Hashicorp-Vault:InitializationInfo": {
"Host": "http://127.0.0.1:8200",
"Path": "v1/secret/data",
"Token": "xxxxxx"
}
After these values are entered, the Orchestrator needs to be restarted to pick up the configuration. Now the PAM Provider can be used on other Orchestrator Extensions.
With the PAM Provider configured as an extenion on the UO, a json
object can be passed instead of an actual value to resolve the field with a PAM Provider. Consult the Keyfactor Integration Catalog for the specific format of the json
object.
To have the Server Password field resolved by the Hashicorp-Vault
provider, the corresponding json
object from the Hashicorp-Vault
extension needs to be copied and filed in with the correct information:
{"Secret":"my-kv-secret","Key":"myServerPassword"}
This text would be entered in as the value for the Server Password, instead of entering in the actual password. The Orchestrator will attempt to use the PAM Provider to retrieve the Server Password. If PAM should not be used, just directly enter in the value for the field.
The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command:
Get-ChildItem Cert:\LocalMachine
The returned list will contain the actual certificate store name to be used when entering store location.
By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores.
This extension implements four job types: Inventory, Management Add/Remove, and Reenrollment.
WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow the orchestrator on the server to manage the certificates. Setting up WinRM is not in the scope of this document.
Note: In version 2.0 of the IIS Orchestrator, the certificate store type has been renamed and additional parameters have been added. Prior to 2.0 the certificate store type was called “IISBin” and as of 2.0 it is called “IISU”. If you have existing certificate stores of type “IISBin”, you have three options:
- Leave them as is and continue to manage them with a pre 2.0 IIS Orchestrator Extension. Create the new IISU certificate store type and create any new IIS stores using the new type.
- Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type.
- Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.)
Note: There is an additional (and deprecated) certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.
Note: If Looking to use GMSA Accounts to run the Service Keyfactor Command 10.2 or greater is required for No Value checkbox to work
From an official support point of view, Local Administrator permissions are required on the target server. Some customers have been successful with using other accounts and granting rights to the underlying certificate and private key stores. Due to complexities with the interactions between Group Policy, WinRM, User Account Control, and other unpredictable customer environmental factors, Keyfactor cannot provide assistance with using accounts other than the local administrator account.
For customers wishing to use something other than the local administrator account, the following information may be helpful:
-
The WinCert extensions (WinCert, IISU, WinSQL) create a WinRM (remote PowerShell) session to the target server in order to manipulate the Windows Certificate Stores, perform binding (in the case of the IISU extension), or to access the registry (in the case of the WinSQL extension).
-
When the WinRM session is created, the certificate store credentials are used if they have been specified, otherwise the WinRM session is created in the context of the Universal Orchestrator (UO) Service account (which potentially could be the network service account, a regular account, or a GMSA account)
-
WinRM needs to be properly set up between the server hosting the UO and the target server. This means that a WinRM client running on the UO server when running in the context of the UO service account needs to be able to create a session on the target server using the configured credentials of the target server and any PowerShell commands running on the remote session need to have appropriate permissions.
-
Even though a given account may be in the administrators group or have administrative privileges on the target system and may be able to execute certificate and binding operations when running locally, the same account may not work when being used via WinRM. User Account Control (UAC) can get in the way and filter out administrative privledges. UAC / WinRM configuration has a LocalAccountTokenFilterPolicy setting that can be adjusted to not filter out administrative privledges for remote users, but enabling this may have other security ramifications.
-
The following list may not be exhaustive, but in general the account (when running under a remote WinRM session) needs permissions to:
- Instantiate and open a .NET X509Certificates.X509Store object for the target certificate store and be able to read and write both the certificates and related private keys. Note that ACL permissions on the stores and private keys are separate.
- Use the Import-Certificate, Get-WebSite, Get-WebBinding, and New-WebBinding PowerShell CmdLets.
- Create and delete temporary files.
- Execute certreq commands.
- Access any Cryptographic Service Provider (CSP) referenced in re-enrollment jobs.
- Read and Write values in the registry (HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server) when performing SQL Server certificate binding.
Currently this orchestrator handles three types of extensions: IISU for IIS servers with bound certificates, WinCert for general Windows Certificates and WinSql for managing certificates for SQL Server. Below describes how each of these certificate store types are created and configured.
IISU Extension
In Keyfactor Command create a new Certificate Store Type as specified below:
Basic Settings:
CONFIG ELEMENT | VALUE | DESCRIPTION |
---|---|---|
Name | IIS Bound Certificate | Display name for the store type (may be customized) |
Short Name | IISU | Short display name for the store type |
Custom Capability | IISU | Store type name orchestrator will register with. Check the box to allow entry of value |
Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports |
Needs Server | Checked | Determines if a target server name is required when creating store |
Blueprint Allowed | Unchecked | Determines if store type may be included in an Orchestrator blueprint |
Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell |
Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store. |
Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password. |
Advanced Settings:
CONFIG ELEMENT | VALUE | DESCRIPTION |
---|---|---|
Store Path Type | Multiple Choice | Determines what restrictions are applied to the store path field when configuring a new store. |
Store Path Value | My,WebHosting | Comma separated list of options configure multiple choice. This, combined with the hostname, will determine the location used for the certificate store management and inventory. |
Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |
Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
Custom Fields:
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed
Name | Display Name | Type | Default Value / Options | Required | Description |
---|---|---|---|---|---|
WinRm Protocol | WinRm Protocol | Multiple Choice | https,http | Yes | Protocol that target server WinRM listener is using |
WinRm Port | WinRm Port | String | 5986 | Yes | Port that target server WinRM listener is using. Typically 5985 for HTTP and 5986 for HTTPS |
spnwithport | SPN With Port | Bool | false | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
ServerUsername | Server Username | Secret | No | The username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. | |
ServerPassword | Server Password | Secret | No | The password that matches the username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. | |
ServerUseSsl | Use SSL | Bool | true | Yes | Determine whether the server uses SSL or not (This field is automatically created) |
Note that some of the Names in the first column above have spaces and some do not, it is important to configure the Name field exactly as above.
Entry Parameters:
Entry parameters are inventoried and maintained for each entry within a certificate store. They are typically used to support binding of a certificate to a resource.
Name | Display Name | Type | Default Value | Required When | Description |
---|---|---|---|---|---|
SiteName | IIS Site Name | String | Default Web Site | Adding, Removing, Reenrolling | IIS web site to bind certificate to |
IPAddress | IP Address | String | * | Adding, Removing, Reenrolling | IP address to bind certificate to (use '*' for all IP addresses) |
Port | Port | String | 443 | Adding, Removing, Reenrolling | |
HostName | Host Name | String | |||
SniFlag | SNI Support | String | 0 | Adding, Reenrolling | Type of SNI for binding (Multiple choice configuration should be entered as "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding") |
Protocol | Protocol | Multiple Choice | https | Adding, Removing, Reenrolling | Protocol to bind to (always "https"). (Multiple choice configuration should be "https") |
ProviderName | Crypto Provider Name | String | Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. | ||
SAN | SAN | String | Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of <san_type>=<san_value> entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. |
None of the above entry parameters have the "Depends On" field set.
Click Save to save the Certificate Store Type.
SQL Server Extension
In Keyfactor Command create a new Certificate Store Type as specified below:
Basic Settings:
CONFIG ELEMENT | VALUE | DESCRIPTION |
---|---|---|
Name | Windows SQL Server Certificate | Display name for the store type (may be customized) |
Short Name | WinSql | Short display name for the store type |
Custom Capability | Leave Unchecked | Store type name orchestrator will register with. Check the box to allow entry of value |
Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports |
Needs Server | Checked | Determines if a target server name is required when creating store |
Blueprint Allowed | Checked | Determines if store type may be included in an Orchestrator blueprint |
Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell |
Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store. |
Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password. |
Advanced Settings:
CONFIG ELEMENT | VALUE | DESCRIPTION |
---|---|---|
Store Path Type | Fixed | Fixed to a defined path. SQL Server Supports the Personal or "My" store on the Local Machine. |
Store Path Value | My | Fixed Value My on the Local Machine Store. |
Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |
Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because SQL Server certificates without private keys would be useless. |
PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
Custom Fields:
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed
Name | Display Name | Type | Default Value / Options | Required | Description |
---|---|---|---|---|---|
WinRm Protocol | WinRm Protocol | Multiple Choice | https,http | Yes | Protocol that target server WinRM listener is using |
WinRm Port | WinRm Port | String | 5986 | Yes | Port that target server WinRM listener is using. Typically 5985 for HTTP and 5986 for HTTPS |
spnwithport | SPN With Port | Bool | false | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
ServerUsername | Server Username | Secret | No | The username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. | |
ServerPassword | Server Password | Secret | No | The password that matches the username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. | |
ServerUseSsl | Use SSL | Bool | true | Yes | Determine whether the server uses SSL or not (This field is automatically created) |
RestartService | Restart SQL Service After Cert Installed | Bool | False | Yes | If true, Orchestrator will restart the SQL Server Service after installing the certificate. |
Note that some of the Names in the first column above have spaces and some do not, it is important to configure the Name field exactly as above.
Entry Parameters:
Entry parameters are inventoried and maintained for each entry within a certificate store. They are typically used to support binding of a certificate to a resource.
Name | Display Name | Type | Default Value | Required When | Description |
---|---|---|---|---|---|
InstanceName | Instance Name | String | Not required | When enrolling leave blank or use MSSQLServer for the Default Instance, Instance Name for an Instance or MSSQLServer,Instance Name if enrolling to multiple instances plus the default instance. | |
ProviderName | Crypto Provider Name | String | Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. | ||
SAN | SAN | String | Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of <san_type>=<san_value> entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. |
Click Save to save the Certificate Store Type.
WinCert Extension
1. In Keyfactor Command create a new Certificate Store Type using the settings below
Basic Settings:
CONFIG ELEMENT | VALUE | DESCRIPTION |
---|---|---|
Name | Windows Certificate | Display name for the store type (may be customized) |
Short Name | WinCert | Short display name for the store type |
Custom Capability | WinCert | Store type name orchestrator will register with. Check the box to allow entry of value |
Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports |
Needs Server | Checked | Determines if a target server name is required when creating store |
Blueprint Allowed | Unchecked | Determines if store type may be included in an Orchestrator blueprint |
Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell |
Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store. |
Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password. |
Advanced Settings:
CONFIG ELEMENT | VALUE | DESCRIPTION |
---|---|---|
Store Path Type | Freeform | Allows users to type in a valid certificate store. |
Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |
Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Typically the personal store would have private keys, whereas trusted root would not. |
PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
Custom Fields:
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed
Name | Display Name | Type | Default Value / Options | Required | Description |
---|---|---|---|---|---|
WinRm Protocol | WinRm Protocol | Multiple Choice | https,http | Yes | Protocol that target server WinRM listener is using |
WinRm Port | WinRm Port | String | 5986 | Yes | Port that target server WinRM listener is using. Typically 5985 for HTTP and 5986 for HTTPS |
spnwithport | SPN With Port | Bool | false | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |
ServerUsername | Server Username | Secret | No | The username to log into the target server (This field is automatically created) | |
ServerPassword | Server Password | Secret | No | The password that matches the username to log into the target server (This field is automatically created) | |
ServerUseSsl | Use SSL | Bool | True | Yes | Determine whether the server uses SSL or not (This field is automatically created) |
Note that some of the Names in the first column above have spaces and some do not, it is important to configure the Name field exactly as above.
Entry Parameters:
Entry parameters are inventoried and maintained for each entry within a certificate store. They are typically used to support binding of a certificate to a resource. For the WinCert store type they are used to control how reenrollment jobs are performed.
Name | Display Name | Type | Default Value | Required When | Description |
---|---|---|---|---|---|
ProviderName | Crypto Provider Name | String | Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. | ||
SAN | SAN | String | Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of <san_type>=<san_value> entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. |
None of the above entry parameters have the "Depends On" field set.
Click Save to save the Certificate Store Type.
Once the Certificate Store Types have been created, you need to create the Certificate Stores prior to using the extension.
If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), the Client Machine can be entered, OR you can bypass a WinRM connection and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a certificate store that will be accessed without a WinRM connection.
Here are the settings required for each Store Type previously configured.
IISU Certificate Store
In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below.
CONFIG ELEMENT | DESCRIPTION |
---|---|
Category | Select IIS Bound Certificate or the customized certificate store display name from above. |
Container | Optional container to associate certificate store with. |
Client Machine | Contains the Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. |
Store Path | Windows certificate store to manage. Choose "My" for the Personal Store or "WebHosting" for the Web Hosting Store. |
Orchestrator | Select an approved orchestrator capable of managing IIS Bound Certificates (one that has declared the IISU capability) |
WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.) |
WinRm Port | Port WinRM listener is configured for (HTTPS default is 5986) |
SPN with Port | Typically False. Needed in some Kerberos configurations. |
Server Username | Account to use when establishing the WinRM session to the Client Machine. Account needs to be an administrator or have been granted rights to manage IIS configuration and manipulate the local machine certificate store. If no account is specified, the security context of the Orchestrator service account will be used. |
Server Password | Password to use when establishing the WinRM session to the Client Machine |
Use SSL | Ignored for this certificate store type. Transport encryption is determined by the WinRM Protocol Setting |
Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store. |
Click Save to save the settings for this Certificate Store
SQL Server Certificate Store
In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below.
CONFIG ELEMENT | DESCRIPTION |
---|---|
Category | Select SQL Server Bound Certificate or the customized certificate store display name from above. |
Container | Optional container to associate certificate store with. |
Client Machine | Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. |
Store Path | Windows certificate store to manage. Fixed to "My". |
Orchestrator | Select an approved orchestrator capable of managing SQL Server Bound Certificates. |
WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.) |
WinRm Port | Port WinRM listener is configured for (HTTPS default is 5986) |
SPN with Port | Typically False. Needed in some Kerberos configurations. |
Server Username | Account to use when establishing the WinRM session to the Client Machine. Account needs to be an administrator or have been granted rights to manage IIS configuration and manipulate the local machine certificate store. If no account is specified, the security context of the Orchestrator service account will be used. |
Server Password | Password to use when establishing the WinRM session to the Client Machine |
Restart SQL Service After Cert Installed | For each instance the certificate is tied to, the service for that instance will be restarted after the certificate is successfully installed. |
Use SSL | Ignored for this certificate store type. Transport encryption is determined by the WinRM Protocol Setting |
Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store. |
Click Save to save the settings for this Certificate Store
WinCert Certificate Store
In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below.CONFIG ELEMENT | DESCRIPTION |
---|---|
Category | Select Windows Certificate or the customized certificate store display name from above. |
Container | Optional container to associate certificate store with. |
Client Machine | Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. |
Store Path | Windows certificate store to manage. Store must exist in the Local Machine store on the target server. |
Orchestrator | Select an approved orchestrator capable of managing Windows Certificates (one that has declared the WinCert capability) |
WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.) |
WinRm Port | Port WinRM listener is configured for (HTTPS default is 5986) |
SPN with Port | Typically False. Needed in some Kerberos configurations. |
Server Username | Account to use when establishing the WinRM session to the Client Machine. Account needs to be an admin or have been granted rights to manipulate the local machine certificate store. If no account is specified, the security context of the Orchestrator service account will be used. |
Server Password | Password to use when establishing the WinRM session to the Client Machine |
Use SSL | Ignored for this certificate store type. Transport encryption is determined by the WinRM Protocol Setting |
Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store. |
IISU
Case Number | Case Name | Enrollment Params | Expected Results | Passed | Screenshot |
---|---|---|---|---|---|
1 | New Cert Enrollment To New Binding With KFSecret Creds | Site Name: FirstSite Port: 443 IP Address: * Host Name: www.firstsite.com Sni Flag: 0 - No SNI Protocol: https |
New Binding Created with Enrollment Params specified creds pulled from KFSecret | True | |
2 | New Cert Enrollment To Existing Binding | Site Name: FirstSite Port: 443 IP Address: * Host Name: www.firstsite.com Sni Flag: 0 - No SNI Protocol: https |
Existing Binding From Case 1 Updated with New Cert | True | |
3 | New Cert Enrollment To Existing Binding Enable SNI | Site Name: FirstSite Port: 443 IP Address: * Host Name: www.firstsite.com Sni Flag: 1 - SNI Enabled Protocol: https |
Will Update Site In Case 2 to Have Sni Enabled | True | |
4 | New Cert Enrollment New IP Address | Site Name: FirstSite Port: 443 IP Address: 192.168.58.162 Host Name: www.firstsite.com Sni Flag: 1 - SNI Enabled Protocol: https |
New Binding Created With New IP and New SNI on Same Port | True | |
5 | New Cert Enrollment New Host Name | Site Name: FirstSite Port: 443 IP Address: 192.168.58.162 Host Name: www.newhostname.com Sni Flag: 1 - SNI Enabled Protocol: https |
New Binding Created With different host on Same Port and IP Address | True | |
6 | New Cert Enrollment Same Site New Port | Site Name: FirstSite Port: 4443 IP Address: 192.168.58.162 Host Name: www.newhostname.com Sni Flag: 1 - SNI Enabled Protocol: https |
New Binding on different port will be created with new cert enrolled | True | |
7 | Remove Cert and Binding From Test Case 6 | Site Name: FirstSite Port: 4443 IP Address: 192.168.58.162 Host Name: www.newhostname.com Sni Flag: 1 - SNI Enabled Protocol: https |
Cert and Binding From Test Case 6 Removed | True | |
8 | Renew Same Cert on 2 Different Sites | SITE 1 Site Name: FirstSite Port: 443 IP Address: * Host Name: www.firstsite.com Sni Flag: 1 - SNI Enabled Protocol: https SITE 2 First Site Site Name: SecondSite Port: 443 IP Address: * Host Name: cstiis04.cstpki.int Sni Flag: 1 - SNI Enabled Protocol: https |
Cert will be renewed on both sites because it has the same thumbprint | True | |
9 | Renew Same Cert on Same Site Same Binding Settings Different Hostname | BINDING 1 Site Name: FirstSite Port: 443 IP Address: * Host Name: www.firstsitebinding1.com Sni Flag: 1 - SNI Enabled Protocol: https BINDING 2 Site Name: FirstSite Port: 443 IP Address: * Host Name: www.firstsitebinding2.com Sni Flag: 1 - SNI Enabled Protocol: https |
Cert will be renewed on both bindings because it has the same thumbprint | True | |
10 | Renew Single Cert on Same Site Same Binding Settings Different Hostname Different Certs | BINDING 1 Site Name: FirstSite Port: 443 IP Address: * Host Name: www.firstsitebinding1.com Sni Flag: 1 - SNI Enabled Protocol: https BINDING 2 Site Name: FirstSite Port: 443 IP Address: * Host Name: www.firstsitebinding2.com Sni Flag: 1 - SNI Enabled Protocol: https |
Cert will be renewed on only one binding because the other binding does not match thumbprint | True | |
11 | Renew Same Cert on Same Site Same Binding Settings Different IPs | BINDING 1 Site Name: FirstSite Port: 443 IP Address: 192.168.58.162 Host Name: www.firstsitebinding1.com Sni Flag: 1 - SNI Enabled Protocol: https BINDING 2 Site Name: FirstSite Port: 443 IP Address: 192.168.58.160 Host Name: www.firstsitebinding1.com Sni Flag: 1 - SNI Enabled Protocol: https |
Cert will be renewed on both bindings because it has the same thumbprint | True | |
12 | Renew Same Cert on Same Site Same Binding Settings Different Ports | BINDING 1 Site Name: FirstSite Port: 443 IP Address: 192.168.58.162 Host Name: www.firstsitebinding1.com Sni Flag: 1 - SNI Enabled Protocol: https BINDING 2 Site Name: FirstSite Port: 543 IP Address: 192.168.58.162 Host Name: www.firstsitebinding1.com Sni Flag: 1 - SNI Enabled Protocol: https |
Cert will be renewed on both bindings because it has the same thumbprint | True | |
13 | ReEnrollment to Fortanix HSM | Subject Name: cn=www.mysite.com Port: 433 IP Address: * Host Name: mysite.command.local **Site Name:**Default Web Site Sni Flag: 0 - No SNI Protocol: https Provider Name: Fortanix KMS CNG Provider SAN: dns=www.mysite.com&dns=mynewsite.com |
Cert will be generated with keys stored in Fortanix HSM and the cert will be bound to the supplied site. | true | |
14 | New Cert Enrollment To New Binding With Pam Creds | Site Name: FirstSite Port: 443 IP Address: * Host Name: www.firstsite.com Sni Flag: 0 - No SNI Protocol: https |
New Binding Created with Enrollment Params specified creds pulled from Pam Provider | True | |
15 | New Cert Enrollment Default Site No HostName | Site Name: Default Web Site Port: 443 IP Address: * Host Name: Sni Flag: 0 - No SNI Protocol: https |
New Binding Installed with no HostName | True |
WinSql
When creating cert store type manually, that store property names and entry parameter names are case sensitive