Using Fortanix Data Security Manager with Keyfactor IIS Orchestrator

1.0 Introduction

This article describes the configuration steps required on Fortanix-Data-Security-Manager (DSM) and Keyfactor to store the RSA key pairs for Internet Information Services (IIS) web server certificates.

2.0 Architecture Workflow

The Keyfactor IIS orchestrator can remotely manage certificates and their bindings on Internet Information Server (IIS) websites. During the certificate enrollment process from the Keyfactor Command Portal, an RSA key for the certificate can be generated and stored in Fortanix DSM.

The Universal Orchestrator is part of the Keyfactor software distribution and is available using the Keyfactor Customer Portal.

2.1 Keyfactor IIS Orchestrator Workflow

1. A user creates a certificate enrollment request in the Keyfactor Command Portal.

2. The Keyfactor Orchestrator periodically checks for new jobs, and if a new enrollment request is found, it sends a Certificate Signing Request (CSR) generation request to the target machine

3. The target machine, which has the Fortanix CNG client installed and configured, generates the CSR request

4. The CSR is submitted back to the Keyfactor Orchestrator, which then forwards it to the Command Portal for signing.

5. The Keyfactor Command Portal must be pre-configured with the desired Certificate Authority (CA) to submit the signing request.

6. The Keyfactor Command Portal then sends the signed certificate back to the Keyfactor Orchestrator.

7. The Keyfactor Orchestrator installs the certificate in the machine’s trust store and binds it to the IIS Web Server.

3.0 Prerequisites

Ensure the following

• Fortanix CNG Client (Download).

  • Fortanix API key to configure the CNG client.

• Windows IIS server admin access to install the CNG client.

• Keyfactor Portal access is required to configure Orchestrator and for the certificate enrollment process.

• Keyfactor Universal IIS Orchestrator version 10.1.1 or later.

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use it later.

5.0 Configure Key Factor IIS Orchestrator

This section describes the steps required to configure the Keyfactor IIS Orchestrator. For more information, refer to https://github.com/Keyfactor/iis-orchestrator.

1. Register the IIS universal Orchestrator with Keyfactor
   See the Keyfactor documentation, InstallingKeyfactorOrchestrators.pdf. Contact your Keyfactor representative for more details. Also make sure the IISU extension is enabled or configured on the Keyfactor Orchestrator.

   

2. Create the new certificate store type for the IIS Orchestrator: On the Keyfactor homepage, go to Settings (cog wheel icon) → Certificate Store Types → ADD

   

   • Certificate Store Type settings: Basic

     

   • Certificate Store Type settings: Advanced

     

   • Certificate Store Type settings: Custom Fields

     

   • Certificate Store Type settings: Entry Parameters

     

     NOTE

     For the certificate that a reenrollment job is enrolling, the Provider Name field is required to generate and store the private key in the Fortanix DSM.

3. Create an IIS binding certificate store within the Keyfactor command center: On the Keyfactor home page, click Locations → Certificate Stores from the drop down menu.

   

   

6.0 Certificate Enrollment

1. In the Management Portal, browse to Locations → Certificate Stores.

2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page)

3. On the Certificate Stores tab, highlight the certificate to reenroll in the Certificate Stores table and click REENROLLMENT at the top of the table or right-click the store location in the table and select Reenrollment from the right-click menu.

4. On the Reenrollment dialog, enter the following:

   • Subject Name for the new certificate using X.500 format

   • Port where to bind the site

   • IP Address

   • SNI Flag

   • Protocol

   • Provider Name as Fortanix KMS CNG Provider

   • Site Name

   • SAN (optional)

   • HostName

   • Certificate Authority

   • Select a Template

   NOTE

   If you do not select a template or CA for reenrollment, the values configured for the "Template for Submitted CSRs" and/or "Certificate Authority for Submitted CSRs" application setting(s) (see Application Settings in Keyfactor) will be used.

5. Click Done to submit the request.

   

   The reenrollment job will be scheduled to run immediately. Visit the Orchestrator Jobs page to check the progress of the job.

   

6.1 Binding

Check the binding status on IIS Site Binding settings.

6.2 Certificate

Check the certificate on the IIS server to confirm the cryptographic provider.