Welcome back to part two of a blog series on how to migrate from your legacy PKI solution to the Keyfactor Command platform. In part one, we reviewed the first step in making the switch to a new PKI solution – importing your keys and certificates using streamlined bulk-scripting operations. Now that you’ve imported your certificates into the database, you’ll need to configure your infrastructure to re-route certificate lifecycle operations using Keyfactor.
There simply isn’t enough room in a blog to cover all the questions that may come up along the way, but I’ll provide a baseline understanding of what it takes to get up and running.
Sync with your Microsoft CA
Let’s start with how to re-route your internal Microsoft CA to your new Keyfactor database. There are two possible scenarios:
- Keyfactor Command is hosted and run in your environment to automate the lifecycle of keys and certificates
- You decided to implement a Keyfactor Cloud-Hosted PKI solution
We’ll cover both of these scenarios.
If Keyfactor Command is hosted in your environment, and the internal CA is in the same forest, then it’s quite simple. Keyfactor can schedule synchronization jobs to automatically inventory the CA, as well as future certificate enrollments.
If Keyfactor Command is hosted in our cloud environment, then there’s just one extra step. You’ll need to deploy an orchestrator in the domain hosting your internal CA to inventory the certificates and synchronize them with our cloud-hosted environment. Of course, the Keyfactor team will be on the line to assist you every step of the way.
Discover Unknown Keys and Certificates
Next up, you’ll need to consider all the certificates that live in the wild within your enterprise. Do you have application teams that test with self-signed and wildcard certificates? What vulnerabilities have been left exposed on web and application servers? Far too many times these liabilities are neglected, resulting in more serious consequences down the line. To help curb this problem upfront, we first need to discover these vulnerabilities and get these certificates into your database.
It starts with deploying the Keyfactor SSL/TLS Discovery Tool. Our flexible agent-based or agentless approach allows you to scan wide port and network ranges to find and inventory all certificates and their relevant information. This enables you to create what we call “certificate collections” – where you can group certificates to enforce policies, report on their status, set up alerts and notifications to stay ahead of renewals, or even automate the renewal process altogether with pre-defined workflows.
There are a few important things to consider when planning a timely SSL/TLS discovery:
- Volume – the larger the network and port ranges you are looking to cover, the longer you can expect the process to take. To improve performance and achieve faster time to discovery, you can simply deploy more agents or orchestrators to optimize the process.
- Location – If physical geography comes into play, it can sometimes delay the response by an endpoint to the discovery agent. If your agent timeout is set too low, then not all endpoints will have enough time to respond with their certificate.
- Null Endpoints – If you schedule the agent timelines too high, then any endpoints without certificates will take the up the full time before moving onto the next port. You’ll want to define the leanest jobs to ensure efficient scanning.
- API Scripts – To achieve lean job definitions, highly customized network ranges can be used. Programmatic network definitions will save significant time when implementing a scan job. Keyfactor provides sample scripts to simplify this process.
Sync with your Public CAs
Finally, you’ll want to inventory certificates from your Public CAs including DigiCert, Sectigo, Entrust and others. Keyfactor offers multiple CA Gateways that directly integrate with any of your public CAs. Unlike other vendors, there is not middleware involved here. Keyfactor offers a complete inventory of certificates and orchestrates the entire certificate lifecycle – from issuance to renewal and revocation. The process will again depend if your instance of Keyfactor Command is hosted in your network or with Keyfactor cloud-hosted PKI as-a-Service.
- If Keyfactor Command is hosted in your environment, you’ll start by installing a gateway and providing admin credentials for the Keyfactor platform to communicate directly with the public CA. This allows certificates to be inventoried and new enrollments can be performed via the Keyfactor portal.
- If Keyfactor Command is hosted in our cloud environment, this step is even easier. Keyfactor will stand up the server, install the gateway, and configure appropriate Active Directory (AD) settings. All we need is the credentials and a certificate to enable the Keyfactor platform to authenticate to the CA.
Replace or Co-Exist
Fast Deployment, Easy Replacement
Deploy Keyfactor Command quickly and efficiently. You can even install our solution with your existing solution still in place – to ensure that you’re never exposed to a certificate-related outage, even for a minute – then uninstall them at your convenience.
Keyfactor co-exists with other solutions – expanding your visibility by catching what others miss. Your legacy solution can continue to manage certificates, while Keyfactor provides the advantage of flexible and modular design to fill the gaps and stop outages before they happen.