1.0 Introduction
This article describes the configuration steps required on Fortanix-Data-Security-Manager (DSM) and Keyfactor to store the RSA key pairs for Internet Information Services (IIS) web server certificates.
2.0 Architecture Workflow

Figure 1: DSM with Keyfactor IIS Orchestrator Architecture
The Keyfactor IIS orchestrator can remotely manage certificates and their bindings on Internet Information Server (IIS) websites. During the certificate enrollment process from the Keyfactor Command Portal, an RSA key for the certificate can be generated and stored in Fortanix DSM.
The Universal Orchestrator is part of the Keyfactor software distribution and is available using the Keyfactor Customer Portal.
2.1 Keyfactor IIS Orchestrator Workflow

Figure 2: DSM with Keyfactor IIS Orchestrator workflow
A user creates a certificate enrollment request in the Keyfactor Command Portal.
The Keyfactor Orchestrator periodically checks for new jobs, and if a new enrollment request is found, it sends a Certificate Signing Request (CSR) generation request to the target machine
The target machine, which has the Fortanix CNG client installed and configured, generates the CSR request
The CSR is submitted back to the Keyfactor Orchestrator, which then forwards it to the Command Portal for signing.
The Keyfactor Command Portal must be pre-configured with the desired Certificate Authority (CA) to submit the signing request.
The Keyfactor Command Portal then sends the signed certificate back to the Keyfactor Orchestrator.
The Keyfactor Orchestrator installs the certificate in the machine’s trust store and binds it to the IIS Web Server.
3.0 Prerequisites
Ensure the following
Fortanix CNG Client (Download).
Fortanix API key to configure the CNG client.
Windows IIS server admin access to install the CNG client.
Keyfactor Portal access is required to configure Orchestrator and for the certificate enrollment process.
Keyfactor Universal IIS Orchestrator version 10.1.1 or later.
4.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
4.1 Signing Up
To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
4.2 Creating an Account
Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.
.png?sv=2022-11-02&spr=https&st=2025-05-30T05%3A39%3A55Z&se=2025-05-30T05%3A54%3A55Z&sr=c&sp=r&sig=VmAacfEzt28f2pm0kXjT%2BsjBYE3viGGt2wlbH%2B0wZoM%3D)
Figure 3: Logging in
For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.
4.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.
Figure 4: Add groups
On the Adding new group page, do the following:
Title: Enter a name for your group.
Description (optional): Enter a short description of the group.
Click SAVE to create the new group.
The new group is added to the Fortanix DSM successfully.
4.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.
Figure 5: Add application
On the Adding new app page, do the following:
App name: Enter the name for your application.
ADD DESCRIPTION (optional): Enter a short description of the application.
Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.
Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.
Click SAVE to add the new application.
The new application is added to the Fortanix DSM successfully.
4.5 Copying the API Key
Perform the following steps to copy the API key from the Fortanix DSM:
In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.
On the INFO tab, click VIEW API KEY DETAILS.
From the API Key Details dialog box, copy the API Key of the app to use it later.
5.0 Configure Key Factor IIS Orchestrator
This section describes the steps required to configure the Keyfactor IIS Orchestrator. For more information, refer to https://github.com/Keyfactor/iis-orchestrator.
Register the IIS universal Orchestrator with Keyfactor
See the Keyfactor documentation,InstallingKeyfactorOrchestrators.pdf
. Contact your Keyfactor representative for more details. Also make sure the IISU extension is enabled or configured on the Keyfactor Orchestrator.Figure 6: Register IIS Orchestrator with Keyfactor
Create the new certificate store type for the IIS Orchestrator: On the Keyfactor homepage, go to Settings (cog wheel icon) → Certificate Store Types → ADD
Figure 7: Add Certificate Store
Certificate Store Type settings: Basic
Figure 8: Certificate Store Type Basic Settings
Certificate Store Type settings: Advanced
Figure 9: Certificate Store Type Advanced Settings
Certificate Store Type settings: Custom Fields
Figure 10: Certificate Store Type Custom Fields
Certificate Store Type settings: Entry Parameters
Figure 11: Certificate Store Type Entry Parameters
NOTE
For the certificate that a reenrollment job is enrolling, the Provider Name field is required to generate and store the private key in the Fortanix DSM.
Create an IIS binding certificate store within the Keyfactor command center: On the Keyfactor home page, click Locations → Certificate Stores from the drop down menu.
Figure 12: IIS Binding Certificate Store
Figure 13: Add Certificate Store
6.0 Certificate Enrollment
In the Management Portal, browse to Locations → Certificate Stores.
On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page)
On the Certificate Stores tab, highlight the certificate to reenroll in the Certificate Stores table and click REENROLLMENT at the top of the table or right-click the store location in the table and select Reenrollment from the right-click menu.
On the Reenrollment dialog, enter the following:
Subject Name for the new certificate using X.500 format
Port where to bind the site
IP Address
SNI Flag
Protocol
Provider Name as
Fortanix KMS CNG Provider
Site Name
SAN (optional)
HostName
Certificate Authority
Select a Template
NOTE
If you do not select a template or CA for reenrollment, the values configured for the "Template for Submitted CSRs" and/or "Certificate Authority for Submitted CSRs" application setting(s) (see Application Settings in Keyfactor) will be used.
Click Done to submit the request.
Figure 14: Certificate Reenrollment
The reenrollment job will be scheduled to run immediately. Visit the Orchestrator Jobs page to check the progress of the job.
Figure 15: Reenrollment Job
6.1 Binding
Check the binding status on IIS Site Binding settings.

Figure 16: Binding Status
6.2 Certificate
Check the certificate on the IIS server to confirm the cryptographic provider.

Figure 17: IIS Server Certificate