Keyfactor EJBCA CA Integration for RDP
Last modified on July 30, 2024
This feature is part of the Enterprise bundle. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
This guide provides general information on how to add an existing Keyfactor EJBCA certificate authority (CA) as a third-party CA to StrongDM. Using a Keyfactor EJBCA CA allows certificate-based RDP resources to authenticate with certificates issued by Keyfactor EJBCA, instead of the default Strong CA managed by StrongDM.
Prerequisites
Before you begin, ensure that the following requirements are met.
- Have the Administrator permission level in StrongDM.
- Have a running Keyfactor instance that is accessible by a StrongDM node (gateway or relay).
- The EJBCA REST API endpoint for certificate management must be enabled.
- The REST Certificate Management protocol must be enabled.
- The client certificate file, key, and CA file must be accessible.
- Know the hostname of the KeyFactor CA.
- Have an Active Directory (AD) environment with users and resources configured, and AD configured to trust the Keyfactor CA.
- Certificate Revocation List (CRL) distribution must be activated and accessible by the Active Directory domain controller for the target AD deployment.
Keyfactor Configuration Considerations
StrongDM doesn’t manage or configure third-party CAs. It is up to you to configure Keyfactor appropriately for your organization, as well as to ensure that the appropriate CA is trusted by the target resources.
Certificate signing requests
How does certificate signing work? StrongDM generates a key pair on the gateway or relay and generates a Certificate Signing Request (CSR) signed by the private key. The CSR is submitted to Keyfactor for signing. The resulting signed certificate is then used, along with the private key, to authenticate to the target resource. The private key never leaves the gateway or relay where it was created.
Add Keyfactor EJBCA CA in the Admin UI
To add a Keyfactor EJBCA CA for RDP in the Admin UI, follow these steps.
- From the Settings > Credentials Management page in the Certificate Authorities tab, click Add certificate authority.
- Enter the Name for the CA (any name).
- For Type, select Keyfactor EJBCA RDP.
- The form updates with other CA properties. Complete all required properties.
- Click Create certificate authority.
Keyfactor EJBCA RDP CA properties
Property | Requirement | Description |
---|---|---|
Server Address | Required | Host address of the Keyfactor CA (for example, http://example.com ) |
Certificate File Path | Required | Path to the Keyfactor client certificate in PEM format (for example, /path/to/certificate/admin.pem ); the certificate must contain a client certificate that is recognized by the EJBCA instance represented by the hostname; the PEM file may also contain the private key associated with the certificate, but the key file also can be set to configure the private key |
Key File Path | Optional | Path to the private key in PEM format (for example, /path/to/key/admin.key ); the file should contain the private key associated with the client certificate configured in the certificate file |
CA File Path | Optional | File path to the Keyfactor CA’s root CA/public certificate in PEM format (for example, /path/to/ca/example.com.pem ); not required if the CA is trusted by the host operating system |
Certificate Profile Name | Required | Certificate profile name that EJBCA uses to enroll the CSR (for example, RDP_CERT ) |
End Entity Profile Name | Required | End entity profile that EJBCA uses to enroll the CSR (for example, RDP_RELAY ) |
Certificate Authority Name | Required | Name of the EJBCA CA that enrolls the CSR (for example, ManagementCA ) |
Enrollment Username Environment Variable | Optional | Environment variable for the username that is used by EJBCA during enrollment (for example, KF_ENROLL_USERNAME ); if not specified, the username must be auto-generated on the Keyfactor side |
Enrollment Code Environment Variable | Optional | Code used by EJBCA during enrollment (for example, KF_ENROLL_CODE ); may be left blank if no code is required |
Add the Keyfactor EJBCA RDP CA to a Certificate-Based RDP Server
- If you have not already done so, follow the instructions to add an RDP server with certificate authentication.
- On the resource form, pay particular attention to Certificate Authority. For this field, select the newly added Keyfactor EJBCA RDP CA.
- Complete all required fields and save.
- Test the connection to the resource (for example, use Remote Desktop to connect).
Manage the CA
After you have added the Keyfactor EJBCA CA and set a certificate-based server to use it, you may manage the CA and review its settings on the Certificate Authorities tab of the Settings > Credentials Management page in the Admin UI. You may select the CA from the list or click its Details button to view diagnostics, update its settings, or delete the CA configuration.
The Diagnostics tab shows all the nodes (gateways and relays) that are configured to access the CA, as well as health information for the nodes.
If the CA is unable to be accessed by any gateway or relay, please review the CA’s Settings tab and make sure the CA credentials are correct.
Additional Information
Third-party CAs also may be added and managed in the CLI, SDKs, and Terraform. Note that third-party CAs are treated like secret stores in the CLI, SDKs, and Terraform. As such, they use secret store commands, domain objects, and resources.
API Account example-terraform-key (cc1e23eb-e456-7891-23c4-edf5678c9123) created a secret store named example-tf-rdp-ca
.Add CA in the CLI
To add the Keyfactor EJBCA CA for RDP in the CLI instead of the Admin UI, use the sdm admin secretstores create CLI command. Create your “secret store” by choosing keyfactorX509
as the secret store type.
sdm admin secretstores create keyfactorX509
In the CLI, the options are the same as the Keyfactor EJBCA RDP CA properties set in the Admin UI.
CLI example
# Create Keyfactor EJBCA CA for RDP
sdm admin secretstores create keyfactorX509
--ca-file-path="/Users/alice/dev/ejbca/ec2-12-345-678-910-us-east-2-compute-amazonaws-com.pem"
--certificate-file-path="/Users/alice/dev/ejbca/admin.pem"
--default-certificate-authority-name="ManagementCA"
--default-certificate-profile-name="RDP_CERT"
--default-end-entity-profile-name="RDP_RELAY"
--enrollment-code-env-var="fh18ksuD73fk81dh46284d"
--enrollment-username-env-var="KF_USERNAME"
--key-file-path="/Users/alice/dev/ejbca/admin.key"
--name="Keyfactor CA"
--server-address="ec2-12-345-678-910-us-east-2-compute-amazonaws.com"
# Create RDP (Certificate Based) server
sdm admin servers create rdp-cert
--name="Example RDP Keyfactor"
--hostname="https://host.example.com:1234"
--secret-store-id="se-e1b2"
--username="username"
# Run secret store healthcheck
sdm admin secretstores healthcheck se-e1b2
# Check that the secret store is reachable
sdm admin secretstores status
# Check the connection to the resource
sdm connect "Example Keyfactor CA"
Add Keyfactor EJBCA RDP CA in Terraform
In addition to using the Admin UI and CLI, you may use Terraform to add a Keyfactor EJBCA CA for use with certificate-based RDP servers. This section includes a Terraform example.
For additional information, see our Terraform provider documentation.
Terraform example
# Install StrongDM provider
terraform {
required_providers {
sdm = {
source = "strongdm/sdm"
version = "7.1.1"
}
}
}
# Configure StrongDM provider
provider "sdm" {
# Add API access key and secret key from Admin UI
api_access_key = "njjSn...5hM"
api_secret_key = "ziG...="
}
variable "prefix" {
type = string
default = "example-tf-"
}
# Create Keyfactor EJBCA CA for RDP
resource "sdm_secret_store" "example-tf-rdp-ca" {
keyfactor_x_509_store {
name = "${var.prefix}rdp-ca"
ca-file-path = "/Users/alice/dev/ejbca/ec2-12-345-678-910-us-east-2-compute-amazonaws-com.pem"
certificate-file-path = "/Users/alice/dev/ejbca/admin.pem"
default-certificate-authority-name = "ManagementCA"
default-certificate-profile-name = "RDP_CERT"
default-end-entity-profile-name = "RDP_RELAY"
enrollment-code-env-var = "fh18ksuD73fk81dh46284d"
enrollment-username-env-var = "KF_USERNAME"
key-file-path = "/Users/alice/dev/ejbca/admin.key"
name = "example-ca-name"
server-address = "ec2-12-345-678-910-us-east-2-compute-amazonaws.com"
}
}
# Create RDP (Certificate Based) server
resource "sdm_resource" "example-rdp-cert-based" {
rdp {
name = "${var.prefix}rdp-keyfactor-ca"
hostname = "https://keyfactor.example.com:1234"
secret_store_id = sdm_secret_store.example-tf-rdp-ca.id
username = "username"
}
}
Add Keyfactor EJBCA CA for RDP with the SDKs
To add a Keyfactor EJBCA CA for RDP with the StrongDM SDKs, please see the SDKs on GitHub: