Keyfactor EJBCA CA Integration for RDP

Last modified on April 25, 2024

This feature is part of the Enterprise bundle. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.

This guide provides general information on how to add an existing Keyfactor EJBCA certificate authority (CA) as a third-party CA to StrongDM. Using a Keyfactor EJBCA CA allows certificate-based RDP resources to authenticate with certificates issued by Keyfactor EJBCA, instead of the default Strong CA managed by StrongDM.

Prerequisites

Before you begin, ensure that the following requirements are met.

Have the Administrator permission level in StrongDM.
Have a running Keyfactor instance that is accessible by a StrongDM node (gateway or relay).
The EJBCA REST API endpoint for certificate management must be enabled.
The REST Certificate Management protocol must be enabled.
The client certificate file, key, and CA file must be accessible.
Know the hostname of the KeyFactor CA.
Have an Active Directory (AD) environment with users and resources configured, and AD configured to trust the Keyfactor CA.
Certificate Revocation List (CRL) distribution must be activated and accessible by the Active Directory domain controller for the target AD deployment.

Keyfactor Configuration Considerations

StrongDM doesn’t manage or configure third-party CAs. It is up to you to configure Keyfactor appropriately for your organization, as well as to ensure that the appropriate CA is trusted by the target resources.

Certificate signing requests

How does certificate signing work? StrongDM generates a key pair on the gateway or relay and generates a Certificate Signing Request (CSR) signed by the private key. The CSR is submitted to Keyfactor for signing. The resulting signed certificate is then used, along with the private key, to authenticate to the target resource. The private key never leaves the gateway or relay where it was created.

Add Keyfactor EJBCA CA in the Admin UI

To add a Keyfactor EJBCA CA for RDP in the Admin UI, follow these steps.

From the Certificate Authorities page, click Add certificate authority.
Enter the Name for the CA (any name).
For Type, select Keyfactor EJBCA RDP.
The form updates with other CA properties. Complete all required properties.
Click Create certificate authority.

Keyfactor EJBCA RDP CA properties

Property	Requirement	Description
Server Address	Required	Host address of the Keyfactor CA (for example, `http://example.com`)
Certificate File Path	Required	Path to the Keyfactor client certificate in PEM format (for example, `/path/to/certificate/admin.pem`); the certificate must contain a client certificate that is recognized by the EJBCA instance represented by the hostname; the PEM file may also contain the private key associated with the certificate, but the key file also can be set to configure the private key
Key File Path	Optional	Path to the private key in PEM format (for example, `/path/to/key/admin.key`); the file should contain the private key associated with the client certificate configured in the certificate file
CA File Path	Optional	File path to the Keyfactor CA’s root CA/public certificate in PEM format (for example, `/path/to/ca/example.com.pem`); not required if the CA is trusted by the host operating system
Key Password Environment Variable	Optional	Environment variable for the password that is used to decrypt the key file if it is encrypted (for example, `KF_KEY_PASSWORD`)
Certificate Profile Name	Required	Certificate profile name that EJBCA uses to enroll the CSR (for example, `RDP_CERT`)
End Entity Profile Name	Required	End entity profile that EJBCA uses to enroll the CSR (for example, `RDP_RELAY`)
Certificate Authority Name	Required	Name of the EJBCA CA that enrolls the CSR (for example, `ManagementCA`)
Enrollment Username Environment Variable	Optional	Environment variable for the username that is used by EJBCA during enrollment (for example, `KF_ENROLL_USERNAME`); if not specified, the username must be auto-generated on the Keyfactor side
Enrollment Code Environment Variable	Optional	Code used by EJBCA during enrollment (for example, `KF_ENROLL_CODE`); may be left blank if no code is required

Add the Keyfactor EJBCA RDP CA to a Certificate-Based RDP Server

If you have not already done so, follow the instructions to add an RDP server with certificate authentication.
On the resource form, pay particular attention to Certificate Authority. For this field, select the newly added Keyfactor EJBCA RDP CA.
Complete all required fields and save.
Test the connection to the resource (for example, use Remote Desktop to connect).

Manage the CA

After you have added the Keyfactor EJBCA CA and set a certificate-based server to use it, you may manage the CA and review its settings on the Certificate Authorities page of the Admin UI. You may select the CA from the list or click its Details button to view diagnostics, update its settings, or delete the CA configuration.

Deletion removes the CA configuration from StrongDM only, not from Keyfactor.

The Diagnostics tab shows all the nodes (gateways and relays) that are configured to access the CA, as well as health information for the nodes.

If the CA is unable to be accessed by any gateway or relay, please review the CA’s Settings tab and make sure the CA credentials are correct.

Every healthcheck for certificate-based resources configured to use a third-party CA generates a certificate with the CA provider.

Additional Information

Third-party CAs also may be added and managed in the CLI, SDKs, and Terraform. Note that third-party CAs are treated like secret stores in the CLI, SDKs, and Terraform. As such, they use secret store commands, domain objects, and resources.

Activities related to third-party CAs are logged in the same way as secret store activities. For example, adding a third-party RDP CA in Terraform produces an activity similar to API Account example-terraform-key (cc1e23eb-e456-7891-23c4-edf5678c9123) created a secret store named example-tf-rdp-ca.

Add CA in the CLI

To add the Keyfactor EJBCA CA for RDP in the CLI instead of the Admin UI, use the sdm admin secretstores create CLI command. Create your “secret store” by choosing keyfactorX509 as the secret store type.

sdm admin secretstores create keyfactorX509

In the CLI, the options are the same as the Keyfactor EJBCA RDP CA properties set in the Admin UI.

CLI example

# Create Keyfactor EJBCA CA for RDP
sdm admin secretstores create keyfactorX509
--ca-file-path="/Users/alice/dev/ejbca/ec2-12-345-678-910-us-east-2-compute-amazonaws-com.pem"
--certificate-file-path="/Users/alice/dev/ejbca/admin.pem"
--default-certificate-authority-name="ManagementCA"
--default-certificate-profile-name="RDP_CERT"
--default-end-entity-profile-name="RDP_RELAY"
--enrollment-code-env-var="fh18ksuD73fk81dh46284d"
--enrollment-username-env-var="KF_USERNAME"
--key-file-path="/Users/alice/dev/ejbca/admin.key"
--key-password-env-var="KF_PM"
--name="Keyfactor CA"
--server-address="ec2-12-345-678-910-us-east-2-compute-amazonaws.com"

# Create RDP (Certificate Based) server
sdm admin servers create rdp-cert
--name="Example RDP Keyfactor"
--hostname="https://host.example.com:1234"
--secret-store-id="se-e1b2"
--username="username"

# Run secret store healthcheck
sdm admin secretstores healthcheck se-e1b2

# Check that the secret store is reachable
sdm admin secretstores status

# Check the connection to the resource
sdm connect "Example Keyfactor CA"

Add Keyfactor EJBCA RDP CA in Terraform

In addition to using the Admin UI and CLI, you may use Terraform to add a Keyfactor EJBCA CA for use with certificate-based RDP servers. This section includes a Terraform example.

For additional information, see our Terraform provider documentation.

Terraform example

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "7.1.1"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
    # Add API access key and secret key from Admin UI
    api_access_key = "njjSn...5hM"
    api_secret_key = "ziG...="
}

variable "prefix" {
  type = string
  default = "example-tf-"
}

# Create Keyfactor EJBCA CA for RDP
resource "sdm_secret_store" "example-tf-rdp-ca" {
  keyfactor_x_509_store {
    name = "${var.prefix}rdp-ca"
    ca-file-path = "/Users/alice/dev/ejbca/ec2-12-345-678-910-us-east-2-compute-amazonaws-com.pem"
    certificate-file-path = "/Users/alice/dev/ejbca/admin.pem"
    default-certificate-authority-name = "ManagementCA"
    default-certificate-profile-name = "RDP_CERT"
    default-end-entity-profile-name = "RDP_RELAY"
    enrollment-code-env-var = "fh18ksuD73fk81dh46284d"
    enrollment-username-env-var = "KF_USERNAME"
    key-file-path = "/Users/alice/dev/ejbca/admin.key"
    key-password-env-var = "KF_PM"
    name = "example-ca-name"
    server-address = "ec2-12-345-678-910-us-east-2-compute-amazonaws.com"
  }
}

# Create RDP (Certificate Based) server
resource "sdm_resource" "example-rdp-cert-based" {
  rdp {
    name = "${var.prefix}rdp-keyfactor-ca"
    hostname = "https://keyfactor.example.com:1234"
    secret_store_id = sdm_secret_store.example-tf-rdp-ca.id
    username = "username"
  }
}

Add Keyfactor EJBCA CA for RDP with the SDKs

To add a Keyfactor EJBCA CA for RDP with the StrongDM SDKs, please see the SDKs on GitHub:

Keyfactor EJBCA CA Integration for RDP

Prerequisites #

Keyfactor Configuration Considerations #

Certificate signing requests #

Add Keyfactor EJBCA CA in the Admin UI #

Keyfactor EJBCA RDP CA properties #

Add the Keyfactor EJBCA RDP CA to a Certificate-Based RDP Server #

Manage the CA #

Additional Information #

Add CA in the CLI #

CLI example #

Add Keyfactor EJBCA RDP CA in Terraform #

Terraform example #

Add Keyfactor EJBCA CA for RDP with the SDKs #