Support · Installation · License · Related Integrations
TODO Overview is a required section
The for Hashicorp Vault Universal Orchestrator extension implements 5 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below.
This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later.
The for Hashicorp Vault Universal Orchestrator extension If you have a support issue, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com.
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
Before installing the for Hashicorp Vault Universal Orchestrator extension, we recommend that you install kfutil. Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.
TODO Requirements is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
To use the for Hashicorp Vault Universal Orchestrator extension, you must create the Certificate Store Types required for your use-case. This only needs to happen once per Keyfactor Command instance.
The for Hashicorp Vault Universal Orchestrator extension implements 5 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types.
Click to expand details
TODO Overview is a required section TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Requirements is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
| Operation | Is Supported |
|---|---|
| Add | 🔲 Unchecked |
| Remove | 🔲 Unchecked |
| Discovery | 🔲 Unchecked |
| Reenrollment | 🔲 Unchecked |
| Create | 🔲 Unchecked |
kfutil is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on kfutil check out the docs
Click to expand HCVPKI kfutil details
This will reach out to GitHub and pull the latest store-type definition
# Hashicorp Vault PKI
kfutil store-types create HCVPKIIf required, it is possible to create store types from the integration-manifest.json included in this repo. You would first download the integration-manifest.json and then run the following command in your offline environment.
kfutil store-types create --from-file integration-manifest.jsonBelow are instructions on how to create the HCVPKI store type manually in the Keyfactor Command Portal
Click to expand manual HCVPKI details
Create a store type called HCVPKI with the attributes in the tables below:
| Attribute | Value | Description |
|---|---|---|
| Name | Hashicorp Vault PKI | Display name for the store type (may be customized) |
| Short Name | HCVPKI | Short display name for the store type |
| Capability | HCVPKI | Store type name orchestrator will register with. Check the box to allow entry of value |
| Supports Add | 🔲 Unchecked | Indicates that the Store Type supports Management Add |
| Supports Remove | 🔲 Unchecked | Indicates that the Store Type supports Management Remove |
| Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery |
| Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
| Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation |
| Needs Server | âś… Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
| Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |
| Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |
The Basic tab should look like this:
| Attribute | Value | Description |
|---|---|---|
| Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |
| Private Key Handling | Forbidden | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
For Keyfactor Command versions 24.4 and later, a Certificate Format dropdown is available with PFX and PEM options. Ensure that PFX is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
| Name | Display Name | Description | Type | Default Value/Options | Required |
|---|---|---|---|---|---|
| ServerUsername | Server Username | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | Secret | âś… Checked | |
| ServerPassword | Server Password | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | Secret | âś… Checked | |
| MountPoint | Mount Point | This is the mount point of the instance of the PKI or Keyfactor secrets engine plugin. If using enterprise namespaces: / | String | âś… Checked |
The Custom Fields tab should look like this:
Click to expand details
TODO Overview is a required section TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Requirements is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
| Operation | Is Supported |
|---|---|
| Add | âś… Checked |
| Remove | âś… Checked |
| Discovery | âś… Checked |
| Reenrollment | 🔲 Unchecked |
| Create | âś… Checked |
kfutil is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on kfutil check out the docs
Click to expand HCVKVPEM kfutil details
This will reach out to GitHub and pull the latest store-type definition
# Hashicorp Vault Key-Value PEM
kfutil store-types create HCVKVPEMIf required, it is possible to create store types from the integration-manifest.json included in this repo. You would first download the integration-manifest.json and then run the following command in your offline environment.
kfutil store-types create --from-file integration-manifest.jsonBelow are instructions on how to create the HCVKVPEM store type manually in the Keyfactor Command Portal
Click to expand manual HCVKVPEM details
Create a store type called HCVKVPEM with the attributes in the tables below:
| Attribute | Value | Description |
|---|---|---|
| Name | Hashicorp Vault Key-Value PEM | Display name for the store type (may be customized) |
| Short Name | HCVKVPEM | Short display name for the store type |
| Capability | HCVKVPEM | Store type name orchestrator will register with. Check the box to allow entry of value |
| Supports Add | âś… Checked | Check the box. Indicates that the Store Type supports Management Add |
| Supports Remove | âś… Checked | Check the box. Indicates that the Store Type supports Management Remove |
| Supports Discovery | âś… Checked | Check the box. Indicates that the Store Type supports Discovery |
| Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
| Supports Create | âś… Checked | Check the box. Indicates that the Store Type supports store creation |
| Needs Server | âś… Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
| Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |
| Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |
The Basic tab should look like this:
| Attribute | Value | Description |
|---|---|---|
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
For Keyfactor Command versions 24.4 and later, a Certificate Format dropdown is available with PFX and PEM options. Ensure that PFX is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
| Name | Display Name | Description | Type | Default Value/Options | Required |
|---|---|---|---|---|---|
| ServerUsername | Server Username | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | Secret | âś… Checked | |
| ServerPassword | Server Password | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | Secret | âś… Checked | |
| SubfolderInventory | Subfolder Inventory | Should certificates found in sub-paths be included when performing an inventory? | Bool | false | 🔲 Unchecked |
| IncludeCertChain | Include Certificate Chain | Should the certificate chain be included when performing an enrollment? | Bool | false | 🔲 Unchecked |
| MountPoint | Mount Point | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / | String | 🔲 Unchecked |
The Custom Fields tab should look like this:
Click to expand details
TODO Overview is a required section TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Requirements is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
| Operation | Is Supported |
|---|---|
| Add | âś… Checked |
| Remove | âś… Checked |
| Discovery | âś… Checked |
| Reenrollment | 🔲 Unchecked |
| Create | âś… Checked |
kfutil is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on kfutil check out the docs
Click to expand HCVKVJKS kfutil details
This will reach out to GitHub and pull the latest store-type definition
# Hashicorp Vault Key-Value JKS
kfutil store-types create HCVKVJKSIf required, it is possible to create store types from the integration-manifest.json included in this repo. You would first download the integration-manifest.json and then run the following command in your offline environment.
kfutil store-types create --from-file integration-manifest.jsonBelow are instructions on how to create the HCVKVJKS store type manually in the Keyfactor Command Portal
Click to expand manual HCVKVJKS details
Create a store type called HCVKVJKS with the attributes in the tables below:
| Attribute | Value | Description |
|---|---|---|
| Name | Hashicorp Vault Key-Value JKS | Display name for the store type (may be customized) |
| Short Name | HCVKVJKS | Short display name for the store type |
| Capability | HCVKVJKS | Store type name orchestrator will register with. Check the box to allow entry of value |
| Supports Add | âś… Checked | Check the box. Indicates that the Store Type supports Management Add |
| Supports Remove | âś… Checked | Check the box. Indicates that the Store Type supports Management Remove |
| Supports Discovery | âś… Checked | Check the box. Indicates that the Store Type supports Discovery |
| Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
| Supports Create | âś… Checked | Check the box. Indicates that the Store Type supports store creation |
| Needs Server | âś… Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
| Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |
| Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |
The Basic tab should look like this:
| Attribute | Value | Description |
|---|---|---|
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
For Keyfactor Command versions 24.4 and later, a Certificate Format dropdown is available with PFX and PEM options. Ensure that PFX is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
| Name | Display Name | Description | Type | Default Value/Options | Required |
|---|---|---|---|---|---|
| ServerUsername | Server Username | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | Secret | âś… Checked | |
| ServerPassword | Server Password | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | Secret | âś… Checked | |
| IncludeCertChain | Include Certificate Chain | Should the certificate chain be included when performing an enrollment? | Bool | false | 🔲 Unchecked |
| MountPoint | Mount Point | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / | String | 🔲 Unchecked |
The Custom Fields tab should look like this:
Click to expand details
TODO Overview is a required section TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Requirements is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
| Operation | Is Supported |
|---|---|
| Add | âś… Checked |
| Remove | âś… Checked |
| Discovery | âś… Checked |
| Reenrollment | 🔲 Unchecked |
| Create | âś… Checked |
kfutil is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on kfutil check out the docs
Click to expand HCVKVP12 kfutil details
This will reach out to GitHub and pull the latest store-type definition
# Hashicorp Vault Key-Value PKCS12
kfutil store-types create HCVKVP12If required, it is possible to create store types from the integration-manifest.json included in this repo. You would first download the integration-manifest.json and then run the following command in your offline environment.
kfutil store-types create --from-file integration-manifest.jsonBelow are instructions on how to create the HCVKVP12 store type manually in the Keyfactor Command Portal
Click to expand manual HCVKVP12 details
Create a store type called HCVKVP12 with the attributes in the tables below:
| Attribute | Value | Description |
|---|---|---|
| Name | Hashicorp Vault Key-Value PKCS12 | Display name for the store type (may be customized) |
| Short Name | HCVKVP12 | Short display name for the store type |
| Capability | HCVKVP12 | Store type name orchestrator will register with. Check the box to allow entry of value |
| Supports Add | âś… Checked | Check the box. Indicates that the Store Type supports Management Add |
| Supports Remove | âś… Checked | Check the box. Indicates that the Store Type supports Management Remove |
| Supports Discovery | âś… Checked | Check the box. Indicates that the Store Type supports Discovery |
| Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
| Supports Create | âś… Checked | Check the box. Indicates that the Store Type supports store creation |
| Needs Server | âś… Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
| Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |
| Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |
The Basic tab should look like this:
| Attribute | Value | Description |
|---|---|---|
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
For Keyfactor Command versions 24.4 and later, a Certificate Format dropdown is available with PFX and PEM options. Ensure that PFX is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
| Name | Display Name | Description | Type | Default Value/Options | Required |
|---|---|---|---|---|---|
| ServerUsername | Server Username | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | Secret | âś… Checked | |
| ServerPassword | Server Password | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | Secret | âś… Checked | |
| IncludeCertChain | Include Certificate Chain | Should the certificate chain be included when performing an enrollment? | Bool | false | 🔲 Unchecked |
| MountPoint | Mount Point | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / | String | 🔲 Unchecked |
The Custom Fields tab should look like this:
Click to expand details
TODO Overview is a required section TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Requirements is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
| Operation | Is Supported |
|---|---|
| Add | âś… Checked |
| Remove | âś… Checked |
| Discovery | âś… Checked |
| Reenrollment | 🔲 Unchecked |
| Create | âś… Checked |
kfutil is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on kfutil check out the docs
Click to expand HCVKVPFX kfutil details
This will reach out to GitHub and pull the latest store-type definition
# Hashicorp Vault Key-Value PFX
kfutil store-types create HCVKVPFXIf required, it is possible to create store types from the integration-manifest.json included in this repo. You would first download the integration-manifest.json and then run the following command in your offline environment.
kfutil store-types create --from-file integration-manifest.jsonBelow are instructions on how to create the HCVKVPFX store type manually in the Keyfactor Command Portal
Click to expand manual HCVKVPFX details
Create a store type called HCVKVPFX with the attributes in the tables below:
| Attribute | Value | Description |
|---|---|---|
| Name | Hashicorp Vault Key-Value PFX | Display name for the store type (may be customized) |
| Short Name | HCVKVPFX | Short display name for the store type |
| Capability | HCVKVPFX | Store type name orchestrator will register with. Check the box to allow entry of value |
| Supports Add | âś… Checked | Check the box. Indicates that the Store Type supports Management Add |
| Supports Remove | âś… Checked | Check the box. Indicates that the Store Type supports Management Remove |
| Supports Discovery | âś… Checked | Check the box. Indicates that the Store Type supports Discovery |
| Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
| Supports Create | âś… Checked | Check the box. Indicates that the Store Type supports store creation |
| Needs Server | âś… Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
| Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |
| Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |
The Basic tab should look like this:
| Attribute | Value | Description |
|---|---|---|
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
For Keyfactor Command versions 24.4 and later, a Certificate Format dropdown is available with PFX and PEM options. Ensure that PFX is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
| Name | Display Name | Description | Type | Default Value/Options | Required |
|---|---|---|---|---|---|
| ServerUsername | Server Username | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | Secret | âś… Checked | |
| ServerPassword | Server Password | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | Secret | âś… Checked | |
| IncludeCertChain | Include Certificate Chain | Should the certificate chain be included when performing an enrollment? | Bool | false | 🔲 Unchecked |
| MountPoint | Mount Point | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / | String | 🔲 Unchecked |
The Custom Fields tab should look like this:
-
Download the latest for Hashicorp Vault Universal Orchestrator extension from GitHub.
Navigate to the for Hashicorp Vault Universal Orchestrator extension GitHub version page. Refer to the compatibility matrix below to determine whether the
net6.0ornet8.0asset should be downloaded. Then, click the corresponding asset to download the zip archive.Universal Orchestrator Version Latest .NET version installed on the Universal Orchestrator server rollForwardcondition inOrchestrator.runtimeconfig.jsonhashicorp-vault-orchestrator.NET version to downloadOlder than 11.0.0net6.0Between 11.0.0and11.5.1(inclusive)net6.0net6.0Between 11.0.0and11.5.1(inclusive)net8.0Disablenet6.0Between 11.0.0and11.5.1(inclusive)net8.0LatestMajornet8.011.6and newernet8.0net8.0Unzip the archive containing extension assemblies to a known location.
Note If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for
net6.0. -
Locate the Universal Orchestrator extensions directory.
- Default on Windows -
C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions - Default on Linux -
/opt/keyfactor/orchestrator/extensions
- Default on Windows -
-
Create a new directory for the for Hashicorp Vault Universal Orchestrator extension inside the extensions directory.
Create a new directory called
hashicorp-vault-orchestrator.The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.
-
Copy the contents of the downloaded and unzipped assemblies from step 2 to the
hashicorp-vault-orchestratordirectory. -
Restart the Universal Orchestrator service.
Refer to Starting/Restarting the Universal Orchestrator service.
-
(optional) PAM Integration
The for Hashicorp Vault Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.
To configure a PAM provider, reference the Keyfactor Integration Catalog to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote).
The above installation steps can be supplemented by the official Command documentation.
TODO Post Installation is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
The for Hashicorp Vault Universal Orchestrator extension implements 5 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section.
Hashicorp Vault PKI (HCVPKI)
TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Certificate Store Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Click to expand details
-
Navigate to the Certificate Stores page in Keyfactor Command.
Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.
-
Add a Certificate Store.
Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.
Attribute Description Category Select "Hashicorp Vault PKI" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This can be any value to help uniquely identify the store. It is not used by this integration. Store Path For HCVPKI, this will be '/' Orchestrator Select an approved orchestrator capable of managing HCVPKIcertificates. Specifically, one with theHCVPKIcapability.ServerUsername The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 ServerPassword Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance MountPoint This is the mount point of the instance of the PKI or Keyfactor secrets engine plugin. If using enterprise namespaces: /
Click to expand details
-
Generate a CSV template for the HCVPKI certificate store
kfutil stores import generate-template --store-type-name HCVPKI --outpath HCVPKI.csv
-
Populate the generated CSV file
Open the CSV file, and reference the table below to populate parameters for each Attribute.
Attribute Description Category Select "Hashicorp Vault PKI" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This can be any value to help uniquely identify the store. It is not used by this integration. Store Path For HCVPKI, this will be '/' Orchestrator Select an approved orchestrator capable of managing HCVPKIcertificates. Specifically, one with theHCVPKIcapability.Properties.ServerUsername The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 Properties.ServerPassword Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance Properties.MountPoint This is the mount point of the instance of the PKI or Keyfactor secrets engine plugin. If using enterprise namespaces: / -
Import the CSV file to create the certificate stores
kfutil stores import csv --store-type-name HCVPKI --file HCVPKI.csv
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.
| Attribute | Description |
|---|---|
| ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 |
| ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance |
Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
The content in this section can be supplemented by the official Command documentation.
Hashicorp Vault Key-Value PEM (HCVKVPEM)
TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Certificate Store Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Click to expand details
-
Navigate to the Certificate Stores page in Keyfactor Command.
Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.
-
Add a Certificate Store.
Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.
Attribute Description Category Select "Hashicorp Vault Key-Value PEM" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This can be any value to help uniquely identify the store. It is not used by this integration. Store Path This is the path after mount point where the certificates will be stored. Orchestrator Select an approved orchestrator capable of managing HCVKVPEMcertificates. Specifically, one with theHCVKVPEMcapability.ServerUsername The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 ServerPassword Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance SubfolderInventory Should certificates found in sub-paths be included when performing an inventory? IncludeCertChain Should the certificate chain be included when performing an enrollment? MountPoint The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /
Click to expand details
-
Generate a CSV template for the HCVKVPEM certificate store
kfutil stores import generate-template --store-type-name HCVKVPEM --outpath HCVKVPEM.csv
-
Populate the generated CSV file
Open the CSV file, and reference the table below to populate parameters for each Attribute.
Attribute Description Category Select "Hashicorp Vault Key-Value PEM" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This can be any value to help uniquely identify the store. It is not used by this integration. Store Path This is the path after mount point where the certificates will be stored. Orchestrator Select an approved orchestrator capable of managing HCVKVPEMcertificates. Specifically, one with theHCVKVPEMcapability.Properties.ServerUsername The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 Properties.ServerPassword Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance Properties.SubfolderInventory Should certificates found in sub-paths be included when performing an inventory? Properties.IncludeCertChain Should the certificate chain be included when performing an enrollment? Properties.MountPoint The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / -
Import the CSV file to create the certificate stores
kfutil stores import csv --store-type-name HCVKVPEM --file HCVKVPEM.csv
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.
| Attribute | Description |
|---|---|
| ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 |
| ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance |
Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
The content in this section can be supplemented by the official Command documentation.
Hashicorp Vault Key-Value JKS (HCVKVJKS)
TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Certificate Store Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Click to expand details
-
Navigate to the Certificate Stores page in Keyfactor Command.
Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.
-
Add a Certificate Store.
Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.
Attribute Description Category Select "Hashicorp Vault Key-Value JKS" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This can be any value to help uniquely identify the store. It is not used by this integration. Store Path This is the path to the secret containing the store. Orchestrator Select an approved orchestrator capable of managing HCVKVJKScertificates. Specifically, one with theHCVKVJKScapability.ServerUsername The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 ServerPassword Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance IncludeCertChain Should the certificate chain be included when performing an enrollment? MountPoint The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /
Click to expand details
-
Generate a CSV template for the HCVKVJKS certificate store
kfutil stores import generate-template --store-type-name HCVKVJKS --outpath HCVKVJKS.csv
-
Populate the generated CSV file
Open the CSV file, and reference the table below to populate parameters for each Attribute.
Attribute Description Category Select "Hashicorp Vault Key-Value JKS" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This can be any value to help uniquely identify the store. It is not used by this integration. Store Path This is the path to the secret containing the store. Orchestrator Select an approved orchestrator capable of managing HCVKVJKScertificates. Specifically, one with theHCVKVJKScapability.Properties.ServerUsername The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 Properties.ServerPassword Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance Properties.IncludeCertChain Should the certificate chain be included when performing an enrollment? Properties.MountPoint The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / -
Import the CSV file to create the certificate stores
kfutil stores import csv --store-type-name HCVKVJKS --file HCVKVJKS.csv
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.
| Attribute | Description |
|---|---|
| ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 |
| ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance |
Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
The content in this section can be supplemented by the official Command documentation.
Hashicorp Vault Key-Value PKCS12 (HCVKVP12)
TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Certificate Store Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Click to expand details
-
Navigate to the Certificate Stores page in Keyfactor Command.
Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.
-
Add a Certificate Store.
Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.
Attribute Description Category Select "Hashicorp Vault Key-Value PKCS12" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This can be any value to help uniquely identify the store. It is not used by this integration. Store Path This is the path to the secret containing the store. Orchestrator Select an approved orchestrator capable of managing HCVKVP12certificates. Specifically, one with theHCVKVP12capability.ServerUsername The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 ServerPassword Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance IncludeCertChain Should the certificate chain be included when performing an enrollment? MountPoint The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /
Click to expand details
-
Generate a CSV template for the HCVKVP12 certificate store
kfutil stores import generate-template --store-type-name HCVKVP12 --outpath HCVKVP12.csv
-
Populate the generated CSV file
Open the CSV file, and reference the table below to populate parameters for each Attribute.
Attribute Description Category Select "Hashicorp Vault Key-Value PKCS12" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This can be any value to help uniquely identify the store. It is not used by this integration. Store Path This is the path to the secret containing the store. Orchestrator Select an approved orchestrator capable of managing HCVKVP12certificates. Specifically, one with theHCVKVP12capability.Properties.ServerUsername The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 Properties.ServerPassword Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance Properties.IncludeCertChain Should the certificate chain be included when performing an enrollment? Properties.MountPoint The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / -
Import the CSV file to create the certificate stores
kfutil stores import csv --store-type-name HCVKVP12 --file HCVKVP12.csv
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.
| Attribute | Description |
|---|---|
| ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 |
| ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance |
Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
The content in this section can be supplemented by the official Command documentation.
Hashicorp Vault Key-Value PFX (HCVKVPFX)
TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Certificate Store Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Click to expand details
-
Navigate to the Certificate Stores page in Keyfactor Command.
Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.
-
Add a Certificate Store.
Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.
Attribute Description Category Select "Hashicorp Vault Key-Value PFX" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This can be any value to help uniquely identify the store. It is not used by this integration. Store Path This is the path to the secret containing the store. Orchestrator Select an approved orchestrator capable of managing HCVKVPFXcertificates. Specifically, one with theHCVKVPFXcapability.ServerUsername The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 ServerPassword Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance IncludeCertChain Should the certificate chain be included when performing an enrollment? MountPoint The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /
Click to expand details
-
Generate a CSV template for the HCVKVPFX certificate store
kfutil stores import generate-template --store-type-name HCVKVPFX --outpath HCVKVPFX.csv
-
Populate the generated CSV file
Open the CSV file, and reference the table below to populate parameters for each Attribute.
Attribute Description Category Select "Hashicorp Vault Key-Value PFX" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This can be any value to help uniquely identify the store. It is not used by this integration. Store Path This is the path to the secret containing the store. Orchestrator Select an approved orchestrator capable of managing HCVKVPFXcertificates. Specifically, one with theHCVKVPFXcapability.Properties.ServerUsername The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 Properties.ServerPassword Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance Properties.IncludeCertChain Should the certificate chain be included when performing an enrollment? Properties.MountPoint The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / -
Import the CSV file to create the certificate stores
kfutil stores import csv --store-type-name HCVKVPFX --file HCVKVPFX.csv
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.
| Attribute | Description |
|---|---|
| ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 |
| ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance |
Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
The content in this section can be supplemented by the official Command documentation.
TODO Discovery is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Hashicorp Vault PKI
TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Discovery Job Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Hashicorp Vault Key-Value PEM
TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Discovery Job Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Hashicorp Vault Key-Value JKS
TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Discovery Job Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Hashicorp Vault Key-Value PKCS12
TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Discovery Job Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Hashicorp Vault Key-Value PFX
TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
TODO Discovery Job Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on Confluence for more info
Apache License 2.0, see LICENSE.