One search. Every source. One search. Every source.

Use kfutil to bulk create JKS bindings

Created: Updated:

This article will review the procedures required to create multiple remote file JKS file certificate stores in the Command platform. This solution will leverage a CSV file that contains the certificate store details like hostname, store path, and binding details to be managed by Command.

Prerequisites

This document requires:

  • Keyfactor Command
  • A Linux or Windows machine that is running the universal orchestrator
  • The remote-file-orchestrator extension installed and registered with the universal orchestrator
  • A machine where kfutil is installed
  • The user running kfutil has the appropriate rights in Keyfactor Command to issue Keyfactor API and management functions (or an appropriate token, etc.)

Target machine prerequisites

There are some items to consider, depending on the managed target’s environment. If the universal orchestrator logs into the target machine as the JKS store owner, no further configuration is required. If the universal orchestrator logs into the target machine as a different account, then that account must have the permissions described below.

Least privilege configuration

Typically, the target machines for JKS stores are located on Linux-type operating systems. Additionally, the store owner is not the same as the user used by the universal orchestrator to log in. Finally, there may be multiple stores located on the target machine with multiple owners.

The good news is that the remote-file-orchestrator can easily handle these use cases. The following items are required to support the above use cases.

  • The universal orchestrator must log in to the target machine as a sudoer user.
  • The universal orchestrator login user must have sudoer NOPASSWD privileges.
  • The login can be limited to specific commands on the target machine, which is best practice.
  • The universal orchestrator should use a working directory to perform operations on the JKS stores.

What follows is only required if this special use case needs to be configured. This must be done on every machine where there are certificate stores that need management using this use case.

Give universal orchestrator user sudoer privileges

  1. Log in to the target machine as a user with sudo permissions.
  2. Run the following command to find the location of the commands required to manage a JKS.

    which echo find cp ls chown tee rm install

    The result looks similar to the following:

    /usr/bin/echo
    /usr/bin/find
    /usr/bin/cp
    /usr/bin/ls
    /usr/bin/chown
    /usr/bin/tee
    /usr/bin/rm
    /usr/bin/install
  3. Next run the following command.

    sudo visudo -f /etc/sudoers.d/<username>
  4. Add the following line into the file.

    <username> ALL=(ALL) NOPASSWD: <comma_separated_list_of_commands>

    Example for the keyfactor user and the result above:

    sudo visudo -f /etc/sudoers.d/keyfactor
    
    keyfactor ALL=(ALL) NOPASSWD: /usr/bin/echo, /usr/bin/find, /usr/bin/cp, /usr/bin/ls, /usr/bin/chown, /usr/bin/tee, /usr/bin/rm, /usr/bin/install
  5. Log out of the machine as the sudo user.

Create a working directory for the universal orchestrator user

  1. Log in to the machine as the universal orchestrator user.
  2. Create a working directory for the orchestrator.

    mkdir ~/working-directory

Extension configuration prerequisites

Do this only if you are using the least privileged configuration from above. Otherwise, skip to the Create store type step.
  1. Log in to the universal orchestrator machine as a user with sudo permissions.
  2. Edit the configuration file for the remote-file-orchestrator.

    sudo vi <path-to-remote-file-orchestrator>/config.json

    Normally, the path to the universal orchestrator extension is located here:
    /opt/keyfactor/orchestrator/extensions/remote-file-orchestrator/.

  3. Change the following lines in the configuration file.

    • UseSudo → change from "N" to "Y"
    • SeparateUploadFilePath → change from "" to "/home/<username>/working-directory"

    For example, if the universal orchestrator is logging in as keyfactor, the file would look something like the following:

    {
      "UseSudo": "Y",
      "DefaultSudoImpersonatedUser": "",
      "CreateStoreIfMissing": "N",
      "UseNegotiate": "N",
      "SeparateUploadFilePath": "/home/keyfactor/working-directory",
      "FileTransferProtocol": "SCP",
      "DefaultLinuxPermissionsOnStoreCreation": "600",
      "DefaultOwnerOnStoreCreation": "",
      "SSHPort":  ""
    }

Create store type

The first step is to define the store type of the remote file JKS store.

Step 1: Determine if store type exists

  1. Log in to the kfutil machine.
  2. Determine if the RFJKS already exists by running the following kfutil command:

    kfutil store-types list | jq -r '.[].Name'
  3. Look for the RFJKS output. If RFJKS exists, skip the Define store types steps.

Step 2: Define store types

  1. Log in to the kfutil machine.
  2. Create the remote file JKS store type.

    kfutil store-types create
  3. When prompted with Choose an option:, select RFJKS.

Procedure

To bulk configure multiple JKS stores, we utilize a CSV file. The kfutil program requires a specific set of columns to create the certificate stores in Keyfactor Command. These columns vary based on store-types.

Step 1: Create CSV template

We can use the kfutil program to generate this template.

kfutil stores import generate-template --store-type-name=RFJKS

The output should look like the following:

Template file for store type with id 105 written to RFJKS_bulk_import_template.csv

Step 2: Populate the CSV

Populate the CSV with data about the stores you need to access:

Parameter Description Example
AgentId The GUID of the orchestrator that will manage the certificate store. This can be found in Keyfactor Command > Orchestrator > Management and double clicking the orchestrator. The Id field is the GUID to enter here. 91dd52a9-8449-4535-a191-b9b6acf1d2b6
ClientMachine The IP address or DNS of the server hosting the certificate store. 10.10.3.4
ContainerId The Keyfactor assigned GUID for the container in which to populate the certificate or <blank> for no container  
CreateIfMissing When set to true the file is created on the system if it doesn’t exist. When set to false an error code is sent back to Command stating the file does not exist. true
ServerUseSsl When connecting to the remote system containing the JKS file/store, true enables an SSL connection and false does not. For SSH connections, use false false
ServerUsername

One of the following usernames to use when logging into a remote system:

  • A username
  • A valid PAM key if the username is stored in a KF Command configured PAM integration
  • <blank> if accessing a local file and not a remote file
uo-login
ServerPassword

One of the following to use when logging into the remote system:

  • A password associated with the ServerUsername
  • An SSH private key to use instead of a password
  • A valid PAM key if the password is stored in a PAM provider Keyfactor Command has been configured to use
  • <blank> if accessing a local file and not a remote file
S@cret-P@ssword
SudoImpersonatingUser

A valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser config.json setting.

Use this ONLY if the user is logging in as the root user. This practice is not recommended.

 
StorePath The full path and file name, including file extension if one exists, where the certificate store file is located. For Linux orchestrated servers, StorePath will begin with a forward slash (i.e. /folder/path/storename.ext). For Windows orchestrated servers, it should begin with a drive letter (i.e. c:\folder\path\storename.ext). /etc/nginx/jks_store.p12
Password

The JKS’s store password.
A JSON structure containing:

{
  "SecretValue": "MySecretPassword",
  "SecretTypeGuid": "123e4567-e89b-12d3-a456-426614174000",
  "InstanceId": "my-instance-id"
}

SecretTypeGuid and InstanceId are optional and not used if the entry is just a password. SecretTypeGuid and InstanceId are typically used ONLY when retrieving data from an HSM or the like.

{
  "SecretValue": "MySecretPassword"
}
 
LinuxFilePermissionsOnStoreCreation A three-digit octet value [000-777] for the Linux file permissions on the certificate store when created. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation config.json setting. 644
LinuxFileOwnerOnStoreCreation A valid username to set for the store owner and store group. www-data
InventorySchedule.Weekly.Time <blank> or Datetime value of when to execute an inventory job on this store  
InventorySchedule.Interval.Minutes <blank> or an integer value of the number of minutes between inventory jobs on this store 60
InventorySchedule.Immediate When true a one-time inventory job is scheduled at store creation. When false the one-time job is not created.  
InventorySchedule.Daily.Time <blank> or a timestamp value for when to run the inventory job  
InventorySchedule.Weekly.Days <blank>  

Then save the CSV file and transfer it to the machine you have kfutil installed on. Be sure to save this without UTF-8 formatting, as kfutil cannot process UTF-8 files.

Do NOT use UTF-8 formatting for the CSV. If you do, you will get an error.

Step 3: Run the bulk upload

Run the kfutil program with the following commands to upload the contents of the CSV as certificate stores.

kfutil stores import csv --file <csv_filename> --store-type-name RFJKS

The output should look like the following:

2 records processed.
2 certificate stores successfully created.
Import results written to Book1_results.csv

Verify the results by opening the result CSV file.

cat Book1_results.csv

Step 4: Verify the results

If additional verification is required, use the Keyfactor Command Portal.

  1. Access Orchestrators > Management.
  2. Select the orchestrator that corresponds to the request above.
  3. Select View Certificate Stores.
  4. A list of certificate stores the orchestrator can manage will appear. The following image shows navigating to the certificate stores that the orchestrator will manage.

    image-20250507-214839.png

    The following image shows a list of all certificate stores that the orchestrator manages.

    image-20250507-215019.png

Add comment

Please sign in to leave a comment.