{"id":25190051,"url":"https://github.com/keyfactor/remote-file-orchestrator","last_synced_at":"2026-02-05T20:14:15.659Z","repository":{"id":63006562,"uuid":"510862739","full_name":"Keyfactor/remote-file-orchestrator","owner":"Keyfactor","description":"The Remote File Orchestrator allows for the remote management of file-based certificate stores. Discovery, Inventory, and Management functions are supported. The orchestrator performs operations by first converting the certificate store into a BouncyCastle PKCS12Store.","archived":false,"fork":false,"pushed_at":"2026-02-02T17:09:31.000Z","size":6542,"stargazers_count":3,"open_issues_count":1,"forks_count":5,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-02-03T05:40:32.918Z","etag":null,"topics":["keyfactor-universal-orchestrator"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Keyfactor.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-07-05T19:04:29.000Z","updated_at":"2025-12-02T18:16:39.000Z","dependencies_parsed_at":"2023-02-16T12:31:21.622Z","dependency_job_id":"59f18465-3c5c-4d26-ad5d-4eea9592b6ad","html_url":"https://github.com/Keyfactor/remote-file-orchestrator","commit_stats":null,"previous_names":[],"tags_count":318,"template":false,"template_full_name":null,"purl":"pkg:github/Keyfactor/remote-file-orchestrator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fremote-file-orchestrator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fremote-file-orchestrator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fremote-file-orchestrator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fremote-file-orchestrator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Keyfactor","download_url":"https://codeload.github.com/Keyfactor/remote-file-orchestrator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fremote-file-orchestrator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29133256,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-05T19:36:52.185Z","status":"ssl_error","status_checked_at":"2026-02-05T19:35:40.941Z","response_time":65,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["keyfactor-universal-orchestrator"],"created_at":"2025-02-09T21:18:47.199Z","updated_at":"2026-02-05T20:14:15.639Z","avatar_url":"https://github.com/Keyfactor.png","language":"C#","readme":"\u003ch1 align=\"center\" style=\"border-bottom: none\"\u003e\n Remote File Universal Orchestrator Extension\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n \u003c!-- Badges --\u003e\n\u003cimg src=\"https://img.shields.io/badge/integration_status-production-3D1973?style=flat-square\" alt=\"Integration Status: production\" /\u003e\n\u003ca href=\"https://github.com/Keyfactor/remote-file-orchestrator/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/Keyfactor/remote-file-orchestrator?style=flat-square\" alt=\"Release\" /\u003e\u003c/a\u003e\n\u003cimg src=\"https://img.shields.io/github/issues/Keyfactor/remote-file-orchestrator?style=flat-square\" alt=\"Issues\" /\u003e\n\u003cimg src=\"https://img.shields.io/github/downloads/Keyfactor/remote-file-orchestrator/total?style=flat-square\u0026label=downloads\u0026color=28B905\" alt=\"GitHub Downloads (all assets, all releases)\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003c!-- TOC --\u003e\n \u003ca href=\"#support\"\u003e\n \u003cb\u003eSupport\u003c/b\u003e\n \u003c/a\u003e\n ·\n \u003ca href=\"#installation\"\u003e\n \u003cb\u003eInstallation\u003c/b\u003e\n \u003c/a\u003e\n ·\n \u003ca href=\"#license\"\u003e\n \u003cb\u003eLicense\u003c/b\u003e\n \u003c/a\u003e\n ·\n \u003ca href=\"https://github.com/orgs/Keyfactor/repositories?q=orchestrator\"\u003e\n \u003cb\u003eRelated Integrations\u003c/b\u003e\n \u003c/a\u003e\n\u003c/p\u003e\n\n## Overview\n\nThe Remote File Orchestrator Extension is a multipurpose integration that can remotely manage a variety of file-based\ncertificate stores and can easily be extended to manage others.\n\nThe Keyfactor Universal Orchestrator (UO) and RemoteFile Extension can be installed on either Windows or Linux operating\nsystems as well as manage certificates residing on servers of both operating systems. A UO service managing certificates\non remote servers is considered to be acting as an Orchestrator, while a UO service managing local certificates on the\nsame server running the service is considered an Agent. When acting as an Orchestrator, connectivity from the\norchestrator server hosting the `RemoteFile` extension to the orchestrated server hosting the certificate store(s) being\nmanaged is achieved via either an `SSH` (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows\norchestrated servers) connection. When acting as an agent, `SSH/WinRM` may still be used, OR the certificate store can be\nconfigured to bypass these and instead directly access the orchestrator server's file system.\n\nRemoteFile Management and Inventory capabilities support the handling of certificates with RSA, ECC, and ML-DSA ditital signature algorithms. However, \nODKG (On Device Key Generation) introduced in release 3.0 for store types RFJKS, RFPEM, RFPkcs12, and RFDER, currently only supports\nRSA and ECC. Also, please be aware that the CSR and key pairs generated by the RemoteFile Orchestrator extension when utilizing\nthe ODKG capability are technically created on the orchestrator server itself and not the target device if the orchestrator is\nmanaging a store or stores on separate servers than where the Universal Orchestrator is installed.\n\n![](images/orchestrator-agent.png)\n\nThe supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below:\n\n| | UO Installed on Windows | UO Installed on Linux |\n|---------------------------------------------------------------------------|---------------------------------------|-------------------------------------|\n| Orchestrated Server hosting certificate store(s) on remote Windows server | WinRM connection | SSH connection |\n| Orchestrated Server hosting certificate store(s) on remote Linux server | SSH connection | SSH connection |\n| Certificate store(s) on same server as orchestrator service (Agent) | WinRM connection or local file system | SSH connection or local file system | \n\nNote: when creating, adding certificates to, or removing certificates from any store managed by `RemoteFile`, the\ndestination store file will be recreated. When this occurs, current AES encryption algorithms will be used for affected\ncertificates and certificate store files.\n\nThe Remote File Universal Orchestrator extension implements 6 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below.\n\n- [RFJKS](#RFJKS)\n\n- [RFPEM](#RFPEM)\n\n- [RFPkcs12](#RFPkcs12)\n\n- [RFDER](#RFDER)\n\n- [RFKDB](#RFKDB)\n\n- [RFORA](#RFORA)\n\n\n## Compatibility\n\nThis integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later.\n\n## Support\nThe Remote File Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com.\n\n\u003e If you want to contribute bug fixes or additional enhancements, use the **[Pull requests](../../pulls)** tab.\n\n## Requirements \u0026 Prerequisites\n\nBefore installing the Remote File Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eCertificate stores hosted on Linux servers:\u003c/b\u003e\u003c/summary\u003e\n\n1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux\n servers as well as some specialized CLI commands for certain store types. If the credentials you will be connecting with \n need elevated access to run these commands or to access the\n certificate store files these commands operate against, you must set up the user id as a sudoer with no password\n necessary and set the config.json `UseSudo` value to `Y`. When `RemoteFile` is using orchestration, managing local or\n external certificate stores using `SSH` or `WinRM`, the security context is determined by the user id entered into the\n Keyfactor Command certificate store or discovery job screens. When RemoteFile is running as an agent, managing local\n stores only, the security context is the user id running the Keyfactor Command Universal Orchestrator service\n account. The full list of these commands and when they are used is illustrated below:\n\n| Shell Command | Discovery | Inventory | Management-Add | Management-Delete | Management-Create |\n|----------------|-----------|-----------|----------------|-------------------|-------------------|\n| `echo` | X | X | X | X | X |\n| `find` | X | | | | |\n| `cp` | | X(a) | X(a) | X(a) | |\n| `ls` | | | X | X | X |\n| `chown` | | X(b) | X(b) | X(b) | |\n| `tee` | | X(c) | X(a) | X(a) | |\n| `rm` | | X(d) | X(d) | X(d) | |\n| `install` | | | | | X |\n| `stat` | | | | | X |\n| `orapki` | | X(e) | X(e) | X(e) | |\n| `gskcapicmd` | | X(f) | X(f) | X(f) | | \n\n(a) - Only used if [config.json](#post-installation) setting SeparateUploadFilePath is used (non empty value) \n(b) - Only used if [config.json](#post-installation) setting SeparateUploadFilePath is used (non empty value) AND the [config.json](#post-installation) or certificate store setting SudoImpersonatedUser is not used (empty value) \n(c) - Only used if store type is RFKDB or RFORA AND [config.json](#post-installation) setting SeparateUploadFilePath is used (non empty value) \n(d) - Only used if using store type is either RFKDB or RFORA OR any store type and the [config.json](#post-installation) setting SeparateUploadFilePath is used (non empty value) \n(e) - RFORA store type only \n(f) - RFKDB store type only\n\n2. When orchestrating management of local or external certificate stores, the Remote File Orchestrator Extension makes\n use of SCP or SFTP to transfer files to and from the orchestrated server. SCP is attempted first, and if that \n fails, SFTP is attempted. `SCP/SFTP` cannot make use of `sudo`, so\n all folders containing certificate stores will need to allow SCP/SFTP file transfer for the user assigned to the\n certificate store/discovery job. If this is not possible, set the values in the `config.json` appropriately to use an\n alternative upload/download folder that does allow `SCP/SFTP` file transfer. If the certificate store/discovery job is\n configured for local (agent) access, the account running the Keyfactor Universal Orchestrator service must have\n access to read/write to the certificate store location, OR the `config.json` file must be set up to use the alternative\n upload/download file.\n\n3. `SSH` Authentication: When creating a Keyfactor certificate store for the `RemoteFile` orchestrator extension, you may\n supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor\n Command's PAM integrations), or supply a user id and `SSH` private key. When using a password, the connection is\n attempted using `SSH` password authentication. If that fails, Keyboard Interactive Authentication is automatically\n attempted. One or both of these must be enabled on the Linux box being managed. If private key authentication is\n desired, copy and paste the full SSH private key into the Password textbox (or pointer to the private key if using a\n PAM provider). Please note that SSH Private Key Authentication is not available when running locally as an agent. The\n following private key formats are supported:\n\n- PKCS#1 (`BEGIN RSA PRIVATE KEY`)\n- PKCS#8 (`BEGIN PRIVATE KEY`)\n- ECDSA OPENSSH (`BEGIN OPENSSH PRIVATE KEY`)\n\nPlease reference [Post Installation](#post-installation) for more information on setting up the `config.json` file\nand [Defining Certificate Stores](#defining-certificate-stores)\nand [Discovering Certificate Stores with the Discovery Job](#discovering-certificate-stores-with-the-discovery-job) for\nmore information on defining and configuring certificate stores.\n\u003c/details\u003e \n\n\u003cdetails\u003e \n\u003csummary\u003e\u003cb\u003eCertificate stores hosted on Windows servers:\u003c/b\u003e\u003c/summary\u003e\n\n1. When orchestrating management of external (and potentially local) certificate stores, the `RemoteFile` Orchestrator \nExtension makes use of `WinRM` to connect to external certificate store servers. The security context used is the user id \nentered in the Keyfactor Command certificate store or discovery job screen. Make sure that `WinRM` is set up on the \norchestrated server and that the `WinRM` port (by convention, `5585` for `HTTP` and `5586` for `HTTPS`) is part of the certificate \nstore path when setting up your certificate stores/discovery jobs. If running as an agent, managing local certificate stores, \nlocal commands are run under the security context of the user account running the Keyfactor Universal Orchestrator Service. \nPlease reference [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on \ncreating certificate stores for the `RemoteFile` Orchestrator Extension. \n\n\u003c/details\u003e\nC\nPlease consult with your system administrator for more information on configuring `SSH/SCP/SFTP` or `WinRM` in your environment.\n\n\n## Certificate Store Types\n\nTo use the Remote File Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance.\n\nThe Remote File Universal Orchestrator extension implements 6 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types.\n\n### RFJKS\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `RFJKS` store type can be used to manage java keystores of types `JKS` or `PKCS12`. If creating a new java keystore \nand adding a certificate all via Keyfactor Command, the created java keystore will be of type `PKCS12`, as java keystores \nof type `JKS` have been deprecated as of `JDK 9`.\n\n#### Supported use cases\n1. One-to-many trust entries - A trust entry is defined as a single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias.\n2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate is identified with a custom alias.\n3. A mix of trust and key entries.\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | ✅ Checked |\n| Remove | ✅ Checked |\n| Discovery | ✅ Checked |\n| Reenrollment | ✅ Checked |\n| Create | ✅ Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand RFJKS kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # RFJKS\n kfutil store-types create RFJKS\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the RFJKS store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual RFJKS details\u003c/summary\u003e\n\n Create a store type called `RFJKS` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | RFJKS | Display name for the store type (may be customized) |\n | Short Name | RFJKS | Short display name for the store type |\n | Capability | RFJKS | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ✅ Checked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![RFJKS Basic Tab](docsource/images/RFJKS-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![RFJKS Advanced Tab](docsource/images/RFJKS-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | ServerUsername | Server Username | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | ServerPassword | Server Password | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | LinuxFilePermissionsOnStoreCreation | Linux File Permissions on Store Creation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | LinuxFileOwnerOnStoreCreation | Linux File Owner on Store Creation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | SudoImpersonatingUser | Sudo Impersonating User | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | RemoveRootCertificate | Remove Root Certificate from Chain | Remove root certificate from chain when adding/renewing a certificate in a store. | Bool | False | 🔲 Unchecked |\n | IncludePortInSPN | Include Port in SPN for WinRM | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | False | 🔲 Unchecked |\n | SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![RFJKS Custom Fields Tab](docsource/images/RFJKS-custom-fields-store-type-dialog.png)\n\n\n ###### Server Username\n A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Linux File Permissions on Store Creation\n The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFJKS Custom Field - LinuxFilePermissionsOnStoreCreation](docsource/images/RFJKS-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.png)\n\n\n\n ###### Linux File Owner on Store Creation\n The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFJKS Custom Field - LinuxFileOwnerOnStoreCreation](docsource/images/RFJKS-custom-field-LinuxFileOwnerOnStoreCreation-dialog.png)\n\n\n\n ###### Sudo Impersonating User\n The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting.\n\n ![RFJKS Custom Field - SudoImpersonatingUser](docsource/images/RFJKS-custom-field-SudoImpersonatingUser-dialog.png)\n\n\n\n ###### Remove Root Certificate from Chain\n Remove root certificate from chain when adding/renewing a certificate in a store.\n\n ![RFJKS Custom Field - RemoveRootCertificate](docsource/images/RFJKS-custom-field-RemoveRootCertificate-dialog.png)\n\n\n\n ###### Include Port in SPN for WinRM\n Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.\n\n ![RFJKS Custom Field - IncludePortInSPN](docsource/images/RFJKS-custom-field-IncludePortInSPN-dialog.png)\n\n\n\n ###### SSH Port\n Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.\n\n ![RFJKS Custom Field - SSHPort](docsource/images/RFJKS-custom-field-SSHPort-dialog.png)\n\n\n\n ###### Use Shell Commands\n Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)\n\n ![RFJKS Custom Field - UseShellCommands](docsource/images/RFJKS-custom-field-UseShellCommands-dialog.png)\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### RFPEM\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `RFPEM` store type can be used to manage `PEM` encoded files.\n\n#### Supported use cases\n1. Trust stores - A file with one-to-many certificates (no private keys, no certificate chains).\n2. Single certificate stores with private key in the file.\n3. Single certificate stores with certificate chain and private key in the file.\n4. Single certificate stores with private key in an external file.\n5. Single certificate stores with certificate chain in the file and private key in an external file\n\n#### Additional Considerations and Limitations\n- `PEM` stores may only have one private key (internal or external) associated with the store, as only one certificate/chain/private key combination can be stored in a PEM store supported by `RFPEM`. \n- Private keys will be stored in encrypted or unencrypted `PKCS#8` format (`BEGIN [ENCRYPTED] PRIVATE KEY`) based on the Store Password set on the Keyfactor Command Certificate Store unless managing a `PEM` store that currently contains a private key in `PKCS#1` format (`BEGIN RSA PRIVATE KEY` or `BEGIN EC PRIVATE KEY`). \n- Store password *MUST* be set to `No Password` if managing a store with a `PKCS#1` private key, as encrypted `PKCS#1` keys are not supported with this integration.\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | ✅ Checked |\n| Remove | ✅ Checked |\n| Discovery | ✅ Checked |\n| Reenrollment | ✅ Checked |\n| Create | ✅ Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand RFPEM kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # RFPEM\n kfutil store-types create RFPEM\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the RFPEM store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual RFPEM details\u003c/summary\u003e\n\n Create a store type called `RFPEM` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | RFPEM | Display name for the store type (may be customized) |\n | Short Name | RFPEM | Short display name for the store type |\n | Capability | RFPEM | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ✅ Checked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![RFPEM Basic Tab](docsource/images/RFPEM-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![RFPEM Advanced Tab](docsource/images/RFPEM-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | ServerUsername | Server Username | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | ServerPassword | Server Password | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | LinuxFilePermissionsOnStoreCreation | Linux File Permissions on Store Creation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | LinuxFileOwnerOnStoreCreation | Linux File Owner on Store Creation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | SudoImpersonatingUser | Sudo Impersonating User | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.. | String | | 🔲 Unchecked |\n | IsTrustStore | Trust Store | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. | Bool | false | 🔲 Unchecked |\n | IncludesChain | Store Includes Chain | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. | Bool | false | 🔲 Unchecked |\n | SeparatePrivateKeyFilePath | Separate Private Key File Location | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. | String | | 🔲 Unchecked |\n | IgnorePrivateKeyOnInventory | Ignore Private Key On Inventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. | Bool | false | 🔲 Unchecked |\n | RemoveRootCertificate | Remove Root Certificate from Chain | Remove root certificate from chain when adding/renewing a certificate in a store. | Bool | False | 🔲 Unchecked |\n | IncludePortInSPN | Include Port in SPN for WinRM | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | False | 🔲 Unchecked |\n | SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![RFPEM Custom Fields Tab](docsource/images/RFPEM-custom-fields-store-type-dialog.png)\n\n\n ###### Server Username\n A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Linux File Permissions on Store Creation\n The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFPEM Custom Field - LinuxFilePermissionsOnStoreCreation](docsource/images/RFPEM-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.png)\n\n\n\n ###### Linux File Owner on Store Creation\n The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFPEM Custom Field - LinuxFileOwnerOnStoreCreation](docsource/images/RFPEM-custom-field-LinuxFileOwnerOnStoreCreation-dialog.png)\n\n\n\n ###### Sudo Impersonating User\n The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting..\n\n ![RFPEM Custom Field - SudoImpersonatingUser](docsource/images/RFPEM-custom-field-SudoImpersonatingUser-dialog.png)\n\n\n\n ###### Trust Store\n The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key.\n\n ![RFPEM Custom Field - IsTrustStore](docsource/images/RFPEM-custom-field-IsTrustStore-dialog.png)\n\n\n\n ###### Store Includes Chain\n The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it.\n\n ![RFPEM Custom Field - IncludesChain](docsource/images/RFPEM-custom-field-IncludesChain-dialog.png)\n\n\n\n ###### Separate Private Key File Location\n The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'.\n\n ![RFPEM Custom Field - SeparatePrivateKeyFilePath](docsource/images/RFPEM-custom-field-SeparatePrivateKeyFilePath-dialog.png)\n\n\n\n ###### Ignore Private Key On Inventory\n The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it.\n\n ![RFPEM Custom Field - IgnorePrivateKeyOnInventory](docsource/images/RFPEM-custom-field-IgnorePrivateKeyOnInventory-dialog.png)\n\n\n\n ###### Remove Root Certificate from Chain\n Remove root certificate from chain when adding/renewing a certificate in a store.\n\n ![RFPEM Custom Field - RemoveRootCertificate](docsource/images/RFPEM-custom-field-RemoveRootCertificate-dialog.png)\n\n\n\n ###### Include Port in SPN for WinRM\n Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.\n\n ![RFPEM Custom Field - IncludePortInSPN](docsource/images/RFPEM-custom-field-IncludePortInSPN-dialog.png)\n\n\n\n ###### SSH Port\n Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.\n\n ![RFPEM Custom Field - SSHPort](docsource/images/RFPEM-custom-field-SSHPort-dialog.png)\n\n\n\n ###### Use Shell Commands\n Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)\n\n ![RFPEM Custom Field - UseShellCommands](docsource/images/RFPEM-custom-field-UseShellCommands-dialog.png)\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### RFPkcs12\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `RFPkcs12` store type can be used to manage any `PKCS#12` compliant file format INCLUDING java keystores of type `PKCS12`.\n\n#### Supported use cases\n1. One-to-many trust entries - A trust entry is defined as a single certificate without a private key in a certificate store. Each trust entry MUST BE identified with a custom friendly name/alias.\n2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate MUST BE identified with a custom friendly name/alias.\n3. A mix of trust and key entries. Each entry MUST BE identified with a custom friendly name/alias.\n4. Single certificate stores with a blank/missing friendly name/alias. Any management add job will replace the current certificate entry and will keep the friendly name/alias blank. The Keyfactor Command certificate store will show the current certificate thumbprint as the entry's alias.\n\n#### Unsupported use cases\n1. Multiple key and/or trust entries with a mix of existing and non-existing friendly names/aliases.\n2. Multiple key and/or trust entries with blank friendly names/aliases\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | ✅ Checked |\n| Remove | ✅ Checked |\n| Discovery | ✅ Checked |\n| Reenrollment | ✅ Checked |\n| Create | ✅ Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand RFPkcs12 kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # RFPkcs12\n kfutil store-types create RFPkcs12\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the RFPkcs12 store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual RFPkcs12 details\u003c/summary\u003e\n\n Create a store type called `RFPkcs12` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | RFPkcs12 | Display name for the store type (may be customized) |\n | Short Name | RFPkcs12 | Short display name for the store type |\n | Capability | RFPkcs12 | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ✅ Checked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![RFPkcs12 Basic Tab](docsource/images/RFPkcs12-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![RFPkcs12 Advanced Tab](docsource/images/RFPkcs12-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | ServerUsername | Server Username | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | ServerPassword | Server Password | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | LinuxFilePermissionsOnStoreCreation | Linux File Permissions on Store Creation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | LinuxFileOwnerOnStoreCreation | Linux File Owner on Store Creation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | SudoImpersonatingUser | Sudo Impersonating User | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | RemoveRootCertificate | Remove Root Certificate from Chain | Remove root certificate from chain when adding/renewing a certificate in a store. | Bool | False | 🔲 Unchecked |\n | IncludePortInSPN | Include Port in SPN for WinRM | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | False | 🔲 Unchecked |\n | SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![RFPkcs12 Custom Fields Tab](docsource/images/RFPkcs12-custom-fields-store-type-dialog.png)\n\n\n ###### Server Username\n A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Linux File Permissions on Store Creation\n The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFPkcs12 Custom Field - LinuxFilePermissionsOnStoreCreation](docsource/images/RFPkcs12-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.png)\n\n\n\n ###### Linux File Owner on Store Creation\n The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFPkcs12 Custom Field - LinuxFileOwnerOnStoreCreation](docsource/images/RFPkcs12-custom-field-LinuxFileOwnerOnStoreCreation-dialog.png)\n\n\n\n ###### Sudo Impersonating User\n The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting.\n\n ![RFPkcs12 Custom Field - SudoImpersonatingUser](docsource/images/RFPkcs12-custom-field-SudoImpersonatingUser-dialog.png)\n\n\n\n ###### Remove Root Certificate from Chain\n Remove root certificate from chain when adding/renewing a certificate in a store.\n\n ![RFPkcs12 Custom Field - RemoveRootCertificate](docsource/images/RFPkcs12-custom-field-RemoveRootCertificate-dialog.png)\n\n\n\n ###### Include Port in SPN for WinRM\n Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.\n\n ![RFPkcs12 Custom Field - IncludePortInSPN](docsource/images/RFPkcs12-custom-field-IncludePortInSPN-dialog.png)\n\n\n\n ###### SSH Port\n Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.\n\n ![RFPkcs12 Custom Field - SSHPort](docsource/images/RFPkcs12-custom-field-SSHPort-dialog.png)\n\n\n\n ###### Use Shell Commands\n Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)\n\n ![RFPkcs12 Custom Field - UseShellCommands](docsource/images/RFPkcs12-custom-field-UseShellCommands-dialog.png)\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### RFDER\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `RFDER` store type can be used to manage DER encoded files.\n\n#### Supported use cases\n1. Single certificate stores with private key in an external file.\n2. Single certificate stores with no private key.\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | ✅ Checked |\n| Remove | ✅ Checked |\n| Discovery | ✅ Checked |\n| Reenrollment | ✅ Checked |\n| Create | ✅ Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand RFDER kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # RFDER\n kfutil store-types create RFDER\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the RFDER store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual RFDER details\u003c/summary\u003e\n\n Create a store type called `RFDER` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | RFDER | Display name for the store type (may be customized) |\n | Short Name | RFDER | Short display name for the store type |\n | Capability | RFDER | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ✅ Checked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![RFDER Basic Tab](docsource/images/RFDER-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![RFDER Advanced Tab](docsource/images/RFDER-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | ServerUsername | Server Username | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | ServerPassword | Server Password | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | LinuxFilePermissionsOnStoreCreation | Linux File Permissions on Store Creation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | LinuxFileOwnerOnStoreCreation | Linux File Owner on Store Creation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | SudoImpersonatingUser | Sudo Impersonating User | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. | String | | 🔲 Unchecked |\n | SeparatePrivateKeyFilePath | Separate Private Key File Location | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'. | String | | 🔲 Unchecked |\n | RemoveRootCertificate | Remove Root Certificate from Chain | Remove root certificate from chain when adding/renewing a certificate in a store. | Bool | False | 🔲 Unchecked |\n | IncludePortInSPN | Include Port in SPN for WinRM | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | False | 🔲 Unchecked |\n | SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![RFDER Custom Fields Tab](docsource/images/RFDER-custom-fields-store-type-dialog.png)\n\n\n ###### Server Username\n A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Linux File Permissions on Store Creation\n The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFDER Custom Field - LinuxFilePermissionsOnStoreCreation](docsource/images/RFDER-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.png)\n\n\n\n ###### Linux File Owner on Store Creation\n The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFDER Custom Field - LinuxFileOwnerOnStoreCreation](docsource/images/RFDER-custom-field-LinuxFileOwnerOnStoreCreation-dialog.png)\n\n\n\n ###### Sudo Impersonating User\n The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.\n\n ![RFDER Custom Field - SudoImpersonatingUser](docsource/images/RFDER-custom-field-SudoImpersonatingUser-dialog.png)\n\n\n\n ###### Separate Private Key File Location\n The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'.\n\n ![RFDER Custom Field - SeparatePrivateKeyFilePath](docsource/images/RFDER-custom-field-SeparatePrivateKeyFilePath-dialog.png)\n\n\n\n ###### Remove Root Certificate from Chain\n Remove root certificate from chain when adding/renewing a certificate in a store.\n\n ![RFDER Custom Field - RemoveRootCertificate](docsource/images/RFDER-custom-field-RemoveRootCertificate-dialog.png)\n\n\n\n ###### Include Port in SPN for WinRM\n Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.\n\n ![RFDER Custom Field - IncludePortInSPN](docsource/images/RFDER-custom-field-IncludePortInSPN-dialog.png)\n\n\n\n ###### SSH Port\n Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.\n\n ![RFDER Custom Field - SSHPort](docsource/images/RFDER-custom-field-SSHPort-dialog.png)\n\n\n\n ###### Use Shell Commands\n Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)\n\n ![RFDER Custom Field - UseShellCommands](docsource/images/RFDER-custom-field-UseShellCommands-dialog.png)\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### RFKDB\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `RFKDB` store type can be used to manage IBM Key Database Files (`KDB`) files. The IBM utility, `GSKCAPICMD`, is used \nto read and write certificates from and to the target store and is therefore required to be installed on the server where \neach `KDB` certificate store being managed resides, and its location MUST be in the system `$Path`.\n\n#### Supported use cases\n1. One-to-many trust entries - A trust entry is defined as a single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias.\n2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate is identified with a custom alias.\n3. A mix of trust and key entries.\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | ✅ Checked |\n| Remove | ✅ Checked |\n| Discovery | ✅ Checked |\n| Reenrollment | 🔲 Unchecked |\n| Create | ✅ Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand RFKDB kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # RFKDB\n kfutil store-types create RFKDB\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the RFKDB store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual RFKDB details\u003c/summary\u003e\n\n Create a store type called `RFKDB` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | RFKDB | Display name for the store type (may be customized) |\n | Short Name | RFKDB | Short display name for the store type |\n | Capability | RFKDB | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ✅ Checked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![RFKDB Basic Tab](docsource/images/RFKDB-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![RFKDB Advanced Tab](docsource/images/RFKDB-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | ServerUsername | Server Username | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | ServerPassword | Server Password | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | LinuxFilePermissionsOnStoreCreation | Linux File Permissions on Store Creation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | LinuxFileOwnerOnStoreCreation | Linux File Owner on Store Creation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | SudoImpersonatingUser | Sudo Impersonating User | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. | String | | 🔲 Unchecked |\n | RemoveRootCertificate | Remove Root Certificate from Chain | Remove root certificate from chain when adding/renewing a certificate in a store. | Bool | False | 🔲 Unchecked |\n | IncludePortInSPN | Include Port in SPN for WinRM | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | False | 🔲 Unchecked |\n | SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![RFKDB Custom Fields Tab](docsource/images/RFKDB-custom-fields-store-type-dialog.png)\n\n\n ###### Server Username\n A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Linux File Permissions on Store Creation\n The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFKDB Custom Field - LinuxFilePermissionsOnStoreCreation](docsource/images/RFKDB-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.png)\n\n\n\n ###### Linux File Owner on Store Creation\n The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFKDB Custom Field - LinuxFileOwnerOnStoreCreation](docsource/images/RFKDB-custom-field-LinuxFileOwnerOnStoreCreation-dialog.png)\n\n\n\n ###### Sudo Impersonating User\n The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.\n\n ![RFKDB Custom Field - SudoImpersonatingUser](docsource/images/RFKDB-custom-field-SudoImpersonatingUser-dialog.png)\n\n\n\n ###### Remove Root Certificate from Chain\n Remove root certificate from chain when adding/renewing a certificate in a store.\n\n ![RFKDB Custom Field - RemoveRootCertificate](docsource/images/RFKDB-custom-field-RemoveRootCertificate-dialog.png)\n\n\n\n ###### Include Port in SPN for WinRM\n Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.\n\n ![RFKDB Custom Field - IncludePortInSPN](docsource/images/RFKDB-custom-field-IncludePortInSPN-dialog.png)\n\n\n\n ###### SSH Port\n Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.\n\n ![RFKDB Custom Field - SSHPort](docsource/images/RFKDB-custom-field-SSHPort-dialog.png)\n\n\n\n ###### Use Shell Commands\n Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)\n\n ![RFKDB Custom Field - UseShellCommands](docsource/images/RFKDB-custom-field-UseShellCommands-dialog.png)\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n### RFORA\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe `RFORA` store type can be used to manage `PKCS12` Oracle Wallets. \n\n\u003e NOTE: This should work for `PKCS12` Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. \n\u003e NOTE: When entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the `eWallet.p12` file name that by convention is the name of the `PKCS12` wallet file that gets created.\n\n#### Supported use cases\n1. One-to-many trust entries - A trust entry is defined as a single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias.\n2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate is identified with a custom alias.\n3. A mix of trust and key entries.\n\n\n\n\n#### Supported Operations\n\n| Operation | Is Supported |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add | ✅ Checked |\n| Remove | ✅ Checked |\n| Discovery | ✅ Checked |\n| Reenrollment | 🔲 Unchecked |\n| Create | ✅ Checked |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n \u003cdetails\u003e\u003csummary\u003eClick to expand RFORA kfutil details\u003c/summary\u003e\n\n ##### Using online definition from GitHub:\n This will reach out to GitHub and pull the latest store-type definition\n ```shell\n # RFORA\n kfutil store-types create RFORA\n ```\n\n ##### Offline creation using integration-manifest file:\n If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n in your offline environment.\n ```shell\n kfutil store-types create --from-file integration-manifest.json\n ```\n \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the RFORA store type manually in\nthe Keyfactor Command Portal\n \u003cdetails\u003e\u003csummary\u003eClick to expand manual RFORA details\u003c/summary\u003e\n\n Create a store type called `RFORA` with the attributes in the tables below:\n\n ##### Basic Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Name | RFORA | Display name for the store type (may be customized) |\n | Short Name | RFORA | Short display name for the store type |\n | Capability | RFORA | Store type name orchestrator will register with. Check the box to allow entry of value |\n | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |\n | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |\n | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |\n | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |\n | Supports Create | ✅ Checked | Check the box. Indicates that the Store Type supports store creation |\n | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |\n | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |\n | Requires Store Password | ✅ Checked | Enables users to optionally specify a store password when defining a Certificate Store. |\n | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |\n\n The Basic tab should look like this:\n\n ![RFORA Basic Tab](docsource/images/RFORA-basic-store-type-dialog.png)\n\n ##### Advanced Tab\n | Attribute | Value | Description |\n | --------- | ----- | ----- |\n | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n The Advanced tab should look like this:\n\n ![RFORA Advanced Tab](docsource/images/RFORA-advanced-store-type-dialog.png)\n\n \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n ##### Custom Fields Tab\n Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n | Name | Display Name | Description | Type | Default Value/Options | Required |\n | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n | ServerUsername | Server Username | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | ServerPassword | Server Password | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | Secret | | 🔲 Unchecked |\n | LinuxFilePermissionsOnStoreCreation | Linux File Permissions on Store Creation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | LinuxFileOwnerOnStoreCreation | Linux File Owner on Store Creation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | SudoImpersonatingUser | Sudo Impersonating User | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. | String | | 🔲 Unchecked |\n | WorkFolder | Location to use for creation/removal of work files | The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'. | String | | ✅ Checked |\n | RemoveRootCertificate | Remove Root Certificate from Chain | Remove root certificate from chain when adding/renewing a certificate in a store. | Bool | False | 🔲 Unchecked |\n | IncludePortInSPN | Include Port in SPN for WinRM | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | False | 🔲 Unchecked |\n | SSHPort | SSH Port | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | String | | 🔲 Unchecked |\n | UseShellCommands | Use Shell Commands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | Bool | True | 🔲 Unchecked |\n\n The Custom Fields tab should look like this:\n\n ![RFORA Custom Fields Tab](docsource/images/RFORA-custom-fields-store-type-dialog.png)\n\n\n ###### Server Username\n A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Server Password\n A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value*\n\n\n \u003e [!IMPORTANT]\n \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n ###### Linux File Permissions on Store Creation\n The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFORA Custom Field - LinuxFilePermissionsOnStoreCreation](docsource/images/RFORA-custom-field-LinuxFilePermissionsOnStoreCreation-dialog.png)\n\n\n\n ###### Linux File Owner on Store Creation\n The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting.\n\n ![RFORA Custom Field - LinuxFileOwnerOnStoreCreation](docsource/images/RFORA-custom-field-LinuxFileOwnerOnStoreCreation-dialog.png)\n\n\n\n ###### Sudo Impersonating User\n The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.\n\n ![RFORA Custom Field - SudoImpersonatingUser](docsource/images/RFORA-custom-field-SudoImpersonatingUser-dialog.png)\n\n\n\n ###### Location to use for creation/removal of work files\n The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'.\n\n ![RFORA Custom Field - WorkFolder](docsource/images/RFORA-custom-field-WorkFolder-dialog.png)\n\n\n\n ###### Remove Root Certificate from Chain\n Remove root certificate from chain when adding/renewing a certificate in a store.\n\n ![RFORA Custom Field - RemoveRootCertificate](docsource/images/RFORA-custom-field-RemoveRootCertificate-dialog.png)\n\n\n\n ###### Include Port in SPN for WinRM\n Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations.\n\n ![RFORA Custom Field - IncludePortInSPN](docsource/images/RFORA-custom-field-IncludePortInSPN-dialog.png)\n\n\n\n ###### SSH Port\n Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting.\n\n ![RFORA Custom Field - SSHPort](docsource/images/RFORA-custom-field-SSHPort-dialog.png)\n\n\n\n ###### Use Shell Commands\n Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)\n\n ![RFORA Custom Field - UseShellCommands](docsource/images/RFORA-custom-field-UseShellCommands-dialog.png)\n\n\n\n\n\n \u003c/details\u003e\n\u003c/details\u003e\n\n\n## Installation\n\n1. **Download the latest Remote File Universal Orchestrator extension from GitHub.**\n\n Navigate to the [Remote File Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/remote-file-orchestrator/releases/latest). Refer to the compatibility matrix below to determine the asset should be downloaded. Then, click the corresponding asset to download the zip archive.\n\n | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `remote-file-orchestrator` .NET version to download |\n | --------- | ----------- | ----------- | ----------- |\n | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` |\n | `11.6` _and_ newer | `net8.0` | | `net8.0` | \n\n Unzip the archive containing extension assemblies to a known location.\n\n \u003e **Note** If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for `net8.0`.\n\n2. **Locate the Universal Orchestrator extensions directory.**\n\n * **Default on Windows** - `C:\\Program Files\\Keyfactor\\Keyfactor Orchestrator\\extensions`\n * **Default on Linux** - `/opt/keyfactor/orchestrator/extensions`\n\n3. **Create a new directory for the Remote File Universal Orchestrator extension inside the extensions directory.**\n\n Create a new directory called `remote-file-orchestrator`.\n \u003e The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.\n\n4. **Copy the contents of the downloaded and unzipped assemblies from __step 2__ to the `remote-file-orchestrator` directory.**\n\n5. **Restart the Universal Orchestrator service.**\n\n Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm).\n\n\n6. **(optional) PAM Integration**\n\n The Remote File Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.\n\n To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote).\n\n\n\u003e The above installation steps can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions).\n\n\n## Post Installation\n\nThe Remote File Orchestrator Extension uses a JSON configuration file. It is located at `{Keyfactor Orchestrator Installation Folder}\\Extensions\\RemoteFile\\config.json`. None of the values are required, and a description of each follows below:\n\n```json\n{\n \"UseSudo\": \"N\",\n \"DefaultSudoImpersonatedUser\": \"\",\n \"CreateStoreIfMissing\": \"N\",\n \"UseNegotiate\": \"N\",\n \"SeparateUploadFilePath\": \"\",\n \"DefaultLinuxPermissionsOnStoreCreation\": \"600\",\n \"DefaultOwnerOnStoreCreation\": \"\",\n \"SSHPort\": \"\",\n \"UseShellCommands\": \"Y\"\n}\n``` \n\n| Key | Default Value | Allowed Values | Description |\n|------------------------------------------|---------------|---------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `UseSudo` | `N` | `Y/N` | Determines whether to prefix Linux commands with `sudo`. Setting to `Y` will prefix all Linux commands with `sudo`. Setting to `N` will not add `sudo` to Linux commands. Only applicable for Linux hosted certificate stores. |\n| `DefaultSudoImpersonatedUser` | | Any valid user id | Used with UseSudo=`Y` to set an alternate user to impersonate with sudo. If empty, `root` will be used by default. The user must have permissions to SCP/SFTP files and execute necessary commands. Only applicable for Linux hosted certificate stores. |\n| `CreateStoreIfMissing` | `N` | `Y/N` | Determines if a certificate store should be created during a Management-Add job if it doesn't exist. If `N`, the job will return an error. If `Y`, the store will be created and the certificate added. |\n| `UseNegotiate` | `N` | `Y/N` | Determines if WinRM should use Negotiate (Y) when connecting to the remote server. Only applicable for Windows hosted certificate stores. |\n| `SeparateUploadFilePath` | | Any valid, existing Linux path | Path on the orchestrated server for uploading/downloading temporary work files. If empty, the certificate store location will be used. Only applicable for Linux hosted certificate stores. |\n| `DefaultLinuxPermissionsOnStoreCreation` | `600` | Any 3-digit value from 000-777 | Linux file permissions set on new certificate stores. If blank, permissions from the parent folder will be used. Only applicable for Linux hosted certificate stores. |\n| `DefaultOwnerOnStoreCreation` | | Any valid user id | Sets the owner for newly created certificate stores. Can include group with format `ownerId:groupId`. If blank, the owner of the parent folder will be used. Only applicable for Linux hosted certificate stores. |\n| `SSHPort` | | Any valid integer representing a port | The port that SSH is listening on. Default is 22. Only applicable for Linux hosted certificate stores. |\n| `UseShellCommands` | `Y` | `Y/N` | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n\n## Defining Certificate Stores\n\nThe Remote File Universal Orchestrator extension implements 6 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section.\n\n\u003cdetails\u003e\u003csummary\u003eRFJKS (RFJKS)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n | Attribute | Description |\n | --------- |---------------------------------------------------------|\n | Category | Select \"RFJKS\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The IP address or DNS of the server hosting the certificate store. For more information, see [Client Machine ](#client-machine-instructions) |\n | Store Path | The full path and file name, including file extension if one exists where the certificate store file is located. For Linux orchestrated servers, StorePath will begin with a forward slash (i.e. /folder/path/storename.ext). For Windows orchestrated servers, it should begin with a drive letter (i.e. c:\\folder\\path\\storename.ext). |\n | Store Password | Password used to secure the Certificate Store |\n | Orchestrator | Select an approved orchestrator capable of managing `RFJKS` certificates. Specifically, one with the `RFJKS` capability. |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting. |\n | RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the RFJKS certificate store**\n\n ```shell\n kfutil stores import generate-template --store-type-name RFJKS --outpath RFJKS.csv\n ```\n2. **Populate the generated CSV file**\n\n Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n | Attribute | Description |\n | --------- | ----------- |\n | Category | Select \"RFJKS\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The IP address or DNS of the server hosting the certificate store. For more information, see [Client Machine ](#client-machine-instructions) |\n | Store Path | The full path and file name, including file extension if one exists where the certificate store file is located. For Linux orchestrated servers, StorePath will begin with a forward slash (i.e. /folder/path/storename.ext). For Windows orchestrated servers, it should begin with a drive letter (i.e. c:\\folder\\path\\storename.ext). |\n | Store Password | Password used to secure the Certificate Store |\n | Orchestrator | Select an approved orchestrator capable of managing `RFJKS` certificates. Specifically, one with the `RFJKS` capability. |\n | Properties.ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | Properties.ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | Properties.LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting. |\n | Properties.RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | Properties.IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n3. **Import the CSV file to create the certificate stores**\n\n ```shell\n kfutil stores import csv --store-type-name RFJKS --file RFJKS.csv\n ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n | Attribute | Description |\n | --------- | ----------- |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | StorePassword | Password used to secure the Certificate Store |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eRFPEM (RFPEM)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n | Attribute | Description |\n | --------- |---------------------------------------------------------|\n | Category | Select \"RFPEM\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |\n | Store Path | The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\\folder\\path\\storename.ext) for Windows orchestrated servers. Example: '/folder/path/storename.pem' or 'c:\\folder\\path\\storename.pem'. |\n | Store Password | Password used to secure the Certificate Store. For stores with PKCS#8 private keys, set the password for encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) or 'No Value' for unencrypted private keys (BEGIN PRIVATE KEY). If managing a store with a PKCS#1 private key (BEGIN RSA PRIVATE KEY), this value MUST be set to 'No Value' |\n | Orchestrator | Select an approved orchestrator capable of managing `RFPEM` certificates. Specifically, one with the `RFPEM` capability. |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.. |\n | IsTrustStore | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. |\n | IncludesChain | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. |\n | SeparatePrivateKeyFilePath | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. |\n | IgnorePrivateKeyOnInventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. |\n | RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the RFPEM certificate store**\n\n ```shell\n kfutil stores import generate-template --store-type-name RFPEM --outpath RFPEM.csv\n ```\n2. **Populate the generated CSV file**\n\n Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n | Attribute | Description |\n | --------- | ----------- |\n | Category | Select \"RFPEM\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |\n | Store Path | The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\\folder\\path\\storename.ext) for Windows orchestrated servers. Example: '/folder/path/storename.pem' or 'c:\\folder\\path\\storename.pem'. |\n | Store Password | Password used to secure the Certificate Store. For stores with PKCS#8 private keys, set the password for encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) or 'No Value' for unencrypted private keys (BEGIN PRIVATE KEY). If managing a store with a PKCS#1 private key (BEGIN RSA PRIVATE KEY), this value MUST be set to 'No Value' |\n | Orchestrator | Select an approved orchestrator capable of managing `RFPEM` certificates. Specifically, one with the `RFPEM` capability. |\n | Properties.ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | Properties.ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | Properties.LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.. |\n | Properties.IsTrustStore | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. |\n | Properties.IncludesChain | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. |\n | Properties.SeparatePrivateKeyFilePath | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. |\n | Properties.IgnorePrivateKeyOnInventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. |\n | Properties.RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | Properties.IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n3. **Import the CSV file to create the certificate stores**\n\n ```shell\n kfutil stores import csv --store-type-name RFPEM --file RFPEM.csv\n ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n | Attribute | Description |\n | --------- | ----------- |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | StorePassword | Password used to secure the Certificate Store. For stores with PKCS#8 private keys, set the password for encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) or 'No Value' for unencrypted private keys (BEGIN PRIVATE KEY). If managing a store with a PKCS#1 private key (BEGIN RSA PRIVATE KEY), this value MUST be set to 'No Value' |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eRFPkcs12 (RFPkcs12)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n | Attribute | Description |\n | --------- |---------------------------------------------------------|\n | Category | Select \"RFPkcs12\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |\n | Store Path | The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\\folder\\path\\storename.p12) for Windows orchestrated servers. Example: '/folder/path/storename.p12' or 'c:\\folder\\path\\storename.p12'. |\n | Store Password | Password used to secure the Certificate Store |\n | Orchestrator | Select an approved orchestrator capable of managing `RFPkcs12` certificates. Specifically, one with the `RFPkcs12` capability. |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting. |\n | RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the RFPkcs12 certificate store**\n\n ```shell\n kfutil stores import generate-template --store-type-name RFPkcs12 --outpath RFPkcs12.csv\n ```\n2. **Populate the generated CSV file**\n\n Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n | Attribute | Description |\n | --------- | ----------- |\n | Category | Select \"RFPkcs12\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |\n | Store Path | The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\\folder\\path\\storename.p12) for Windows orchestrated servers. Example: '/folder/path/storename.p12' or 'c:\\folder\\path\\storename.p12'. |\n | Store Password | Password used to secure the Certificate Store |\n | Orchestrator | Select an approved orchestrator capable of managing `RFPkcs12` certificates. Specifically, one with the `RFPkcs12` capability. |\n | Properties.ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | Properties.ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | Properties.LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting. |\n | Properties.RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | Properties.IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n3. **Import the CSV file to create the certificate stores**\n\n ```shell\n kfutil stores import csv --store-type-name RFPkcs12 --file RFPkcs12.csv\n ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n | Attribute | Description |\n | --------- | ----------- |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | StorePassword | Password used to secure the Certificate Store |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eRFDER (RFDER)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n | Attribute | Description |\n | --------- |---------------------------------------------------------|\n | Category | Select \"RFDER\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |\n | Store Path | The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\\folder\\path\\storename.der) for Windows orchestrated servers. Example: '/folder/path/storename.der' or 'c:\\folder\\path\\storename.der'. |\n | Store Password | Password used to secure the Certificate Store |\n | Orchestrator | Select an approved orchestrator capable of managing `RFDER` certificates. Specifically, one with the `RFDER` capability. |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |\n | SeparatePrivateKeyFilePath | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'. |\n | RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the RFDER certificate store**\n\n ```shell\n kfutil stores import generate-template --store-type-name RFDER --outpath RFDER.csv\n ```\n2. **Populate the generated CSV file**\n\n Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n | Attribute | Description |\n | --------- | ----------- |\n | Category | Select \"RFDER\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |\n | Store Path | The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\\folder\\path\\storename.der) for Windows orchestrated servers. Example: '/folder/path/storename.der' or 'c:\\folder\\path\\storename.der'. |\n | Store Password | Password used to secure the Certificate Store |\n | Orchestrator | Select an approved orchestrator capable of managing `RFDER` certificates. Specifically, one with the `RFDER` capability. |\n | Properties.ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | Properties.ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | Properties.LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |\n | Properties.SeparatePrivateKeyFilePath | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'. |\n | Properties.RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | Properties.IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n3. **Import the CSV file to create the certificate stores**\n\n ```shell\n kfutil stores import csv --store-type-name RFDER --file RFDER.csv\n ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n | Attribute | Description |\n | --------- | ----------- |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | StorePassword | Password used to secure the Certificate Store |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eRFKDB (RFKDB)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n | Attribute | Description |\n | --------- |---------------------------------------------------------|\n | Category | Select \"RFKDB\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |\n | Store Path | The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\\folder\\path\\storename.kdb) for Windows orchestrated servers. Example: '/folder/path/storename.kdb' or 'c:\\folder\\path\\storename.kdb'. |\n | Store Password | Password used to secure the Certificate Store |\n | Orchestrator | Select an approved orchestrator capable of managing `RFKDB` certificates. Specifically, one with the `RFKDB` capability. |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |\n | RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the RFKDB certificate store**\n\n ```shell\n kfutil stores import generate-template --store-type-name RFKDB --outpath RFKDB.csv\n ```\n2. **Populate the generated CSV file**\n\n Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n | Attribute | Description |\n | --------- | ----------- |\n | Category | Select \"RFKDB\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |\n | Store Path | The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\\folder\\path\\storename.kdb) for Windows orchestrated servers. Example: '/folder/path/storename.kdb' or 'c:\\folder\\path\\storename.kdb'. |\n | Store Password | Password used to secure the Certificate Store |\n | Orchestrator | Select an approved orchestrator capable of managing `RFKDB` certificates. Specifically, one with the `RFKDB` capability. |\n | Properties.ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | Properties.ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | Properties.LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |\n | Properties.RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | Properties.IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n3. **Import the CSV file to create the certificate stores**\n\n ```shell\n kfutil stores import csv --store-type-name RFKDB --file RFKDB.csv\n ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n | Attribute | Description |\n | --------- | ----------- |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | StorePassword | Password used to secure the Certificate Store |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eRFORA (RFORA)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n | Attribute | Description |\n | --------- |---------------------------------------------------------|\n | Category | Select \"RFORA\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |\n | Store Path | The Store Path field should contain the full path and file name of the Oracle Wallet, including the 'eWallet.p12' file name by convention. Example: '/path/to/eWallet.p12' or 'c:\\path\\to\\eWallet.p12'. |\n | Store Password | Password used to secure the Certificate Store |\n | Orchestrator | Select an approved orchestrator capable of managing `RFORA` certificates. Specifically, one with the `RFORA` capability. |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |\n | WorkFolder | The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'. |\n | RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the RFORA certificate store**\n\n ```shell\n kfutil stores import generate-template --store-type-name RFORA --outpath RFORA.csv\n ```\n2. **Populate the generated CSV file**\n\n Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n | Attribute | Description |\n | --------- | ----------- |\n | Category | Select \"RFORA\" or the customized certificate store name from the previous step. |\n | Container | Optional container to associate certificate store with. |\n | Client Machine | The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. |\n | Store Path | The Store Path field should contain the full path and file name of the Oracle Wallet, including the 'eWallet.p12' file name by convention. Example: '/path/to/eWallet.p12' or 'c:\\path\\to\\eWallet.p12'. |\n | Store Password | Password used to secure the Certificate Store |\n | Orchestrator | Select an approved orchestrator capable of managing `RFORA` certificates. Specifically, one with the `RFORA` capability. |\n | Properties.ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | Properties.ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | Properties.LinuxFilePermissionsOnStoreCreation | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.LinuxFileOwnerOnStoreCreation | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. |\n | Properties.SudoImpersonatingUser | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. |\n | Properties.WorkFolder | The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'. |\n | Properties.RemoveRootCertificate | Remove root certificate from chain when adding/renewing a certificate in a store. |\n | Properties.IncludePortInSPN | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. |\n | Properties.SSHPort | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. |\n | Properties.UseShellCommands | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) |\n\n3. **Import the CSV file to create the certificate stores**\n\n ```shell\n kfutil stores import csv --store-type-name RFORA --file RFORA.csv\n ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n | Attribute | Description |\n | --------- | ----------- |\n | ServerUsername | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* |\n | ServerPassword | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* |\n | StorePassword | Password used to secure the Certificate Store |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n## Discovering Certificate Stores with the Discovery Job\nWhen scheduling discovery jobs in Keyfactor Command, there are a few fields that are important to highlight here:\n\n| Field | Description |\n|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Client Machine | The IP address or DNS of the server hosting the certificate store. For more information, see [Client Machine](#client-machine-instructions) |\n| Server Username/Password | A username and password (or valid PAM key if the username and/or password is stored in a KF Command configured PAM integration). The password can be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check `No Value` for the username and password. |\n| Directories to Search | Enter one or more comma delimited file paths to search. A special value `fullscan` can be used on Windows orchestrated servers to search all available drive letters at the root and recursively search all of them for files matching the other search criteria. |\n| Extensions | Enter one or more comma delimited extensions to search for. A reserved value of `noext` can be used to search for files without an extension. This can be combined with other extensions (e.g., pem,jks,noext will find files with .pem and .jks extensions, as well as files with no extension). |\n\nPlease refer to the Keyfactor Command Reference Guide for complete information on creating certificate stores and\nscheduling discovery jobs in Keyfactor Command.\n\n\n\n\n\n\n\n\n\n## Client Machine Instructions\n\nWhen creating a Certificate Store or scheduling a Discovery Job, you will be asked to provide a `Client Machine`.\n\n### Linux\n\nFor Linux orchestrated servers, `Client Machine` should be the DNS name or IP address of the remote orchestrated server.\n\n### Windows\n\nFor Windows orchestrated servers, it should be the following URL format: `protocol://dns-or-ip:port`.\n\n| Component | Description | Common Value |\n|-------------|-------------------------------------------|-------------------------------|\n| `protocol` | Protocol used by your WinRM configuration | http or https |\n| `dns-or-ip` | DNS name or IP address of the server | domain name or IP address |\n| `port` | Port WinRM is running under | 5985 for http, 5986 for https |\n\nExample: https://myserver.mydomain.com:5986\n\n### Localhost\n\nFor agent mode (accessing stores on the same server where Universal Orchestrator Services is running):\n\n1. Add `|LocalMachine` to the Client Machine value to bypass SSH/WinRM and access the local file system directly\n - Examples: `1.1.1.1|LocalMachine`, `hostname|LocalMachine`\n - The value to the left of the pipe `|` will not be used for connectivity but will be used as part of the\n Certificate Store definition in Keyfactor Command\n\n2. Important considerations:\n - `Store Type` + `Client Machine` + `Store Path` must be unique in Keyfactor Command\n - Best practice: Use the full DNS or IP Address to the left of the `|` character\n\n## Use Shell Commands Setting\n\nThe Use Shell Commands Setting (orchestrator level in config.json and per store override of this value as a custom field value) \ndetermines whether or not Linux shell commands will be used when managing certificate stores on Linux-based servers.\nThis is useful for environments where shell access is limited or even not allowed. In those scenarios setting this value to 'N'\nwill substitute SFTP commands for certain specific Linux shell commands. The following restrictions will be in place when \nusing RemoteFile in this mode:\n1. The config.json option SeparateUploadFilePath must NOT be used (option missing from the config.json file or set to empty) for shell\ncommands to be suppressed for all use cases.\n2. The config.json and custom field options DefaultLinuxPermissionsOnStoreCreation, DefaultOwnerOnStoreCreation, \nLinuxFilePermissionsOnStoreCreation, and LinuxFileOwnerOnStoreCreation are not supported and will be ignored. As a result, file\npermissions and ownership when creating certificate stores will be based on the user assigned to the Command certificate store and \nother Linux environmental settings.\n3. Discovery jobs are excluded and will still use the `find` shell command\n4. A rare issue exists where the user id assigned to a certificate store has an expired password causing the orchestrator to hang \nwhen attempting an SCP/SFTP connection. A modification was added to RemoteFile to check for this condition. Running RemoteFile \nwith Use Shell Commands = N will cause this validation check to NOT occur.\n5. Both RFORA and RFKDB use proprietary CLI commands in order to manage their respective certificate stores. These commands\nwill still be executed when Use Shell Commands is set to Y.\n6. If executing in local mode ('|LocalMachine' at the end of your client machine name for your certificate store), Use Shell\nCommands = 'N' will have no effect. Shell commands will continue to be used because there will be no SSH connection\navailable from which to execute SFTP commands.\n\n## Developer Notes\n\nThe Remote File Orchestrator Extension is designed to be highly extensible, enabling its use with various file-based\ncertificate stores beyond the specific implementations currently referenced above. The advantage to extending this\nintegration rather than creating a new one is that the configuration, remoting, and Inventory/Management/Discovery logic\nis already written. The developer needs to only implement a few classes and write code to convert the desired file-based \nstore to a common format. This section describes the steps necessary to add additional store/file types. Please\nnote that familiarity with the [.Net Core BouncyCastle cryptography library](https://github.com/bcgit/bc-csharp) is a\nprerequisite for adding additional supported file/store types.\n\nSteps to create a new supported file-based certificate store type:\n\n1. Clone this repository from GitHub\n2. Open the .net core solution in the IDE of your choice\n3. Under the ImplementationStoreTypes folder, create a new folder named for the new certificate store type\n4. Create a new class (with namespace of Keyfactor.Extensions.Orchestrator.RemoteFile.{NewType}) in the new folder that\n will implement ICertificateStoreSerializer. By convention, {StoreTypeName}CertificateSerializer would be a good\n choice for the class name. This interface requires you to implement three methods:\n - `DesrializeRemoteCertificateStore` - This method takes in a byte array containing the contents of file-based store\n you are managing. The developer will need to convert that to an Org.BouncyCastle.Pkcs.Pkcs12Store class and return\n it.\n - `SerializeRemoteCertificateStore` - This method takes in an Org.BouncyCastle.Pkcs.Pkcs12Store and converts it to a\n collection of custom file representations.\n - `GetPrivateKeyPath` - This method returns the location of the external private key file for single certificate\n stores. This is only used for `RFPEM`, and all other implementations return `NULL` for this method. If this\n is not applicable to your implementation, just return a `NULL` value for this method.\n5. Create an `Inventory.cs` class (with namespace of `Keyfactor.Extensions.Orchestrator.RemoteFile.{NewType}`) under the new\n folder and have it inherit `InventoryBase`. Override the internal `GetCertificateStoreSerializer()` method with a one-line implementation returning a new instantiation of the class created in step 4.\n6. Create a `Management.cs` class (with namespace of `Keyfactor.Extensions.Orchestrator.RemoteFile.{NewType}`) under the new\n folder and have it inherit `ManagementBase`. Override the internal `GetCertificateStoreSerializer()` method with a one-line implementation returning a new instantiation of the class created in step 4.\n7. Modify the manifest.json file to add three new sections (for Inventory, Management, and Discovery). Make sure for\n each, the `NewType` in Certstores.{NewType}.{Operation}, matches what you will use for the certificate store type\n short name in Keyfactor Command. On the `TypeFullName` line for all three sections, make sure the namespace matches\n what you used for your new classes. Note that the namespace for Discovery uses a common class for all supported\n types. Discovery is a common implementation for all supported store types.\n8. Modify the integration-manifest.json file to add the new store type under the store_types element.\n\n\n## License\n\nApache License 2.0, see [LICENSE](LICENSE).\n\n## Related Integrations\n\nSee all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator).","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Fremote-file-orchestrator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeyfactor%2Fremote-file-orchestrator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Fremote-file-orchestrator/lists"}