Join Keyfactor at RSA Conference™ 2024    |    May 6 – 9th    | Learn More

What’s New in Keyfactor 9

Tech Updates

Keyfactor 9 – now generally available – marks a major milestone for PKI and machine identity management in today’s complex hybrid and multi-cloud and environments. Find out what’s new in our latest release below.

What's new in this release?

Today, we are pleased to announce the general availability of Keyfactor 9bringing more flexibility and an improved user experiences to the Keyfactor Command platform.  

Here we’ll take a look at the following key features and improvements: 

  • UI/UX Improvements: Several updates to UI to improve overall user experience for new and experienced users alike. 
  • Remote CA Gateway: A new patent-pending technology that connects on-premise private CAs to the Keyfactor Cloud to remotely enroll, issue, renew and revoke certificates. 
  • Universal Orchestrator: A new Keyfactor Orchestrator that can run on Windows and Linux, servers and containers, on-prem and in the cloud.
  • Template-level Metadata: Ability to define custom metadata fields on a per-template basis, rather than system-wide. 

Refreshed UI/UX

Keyfactor has made tremendous strides toward enhancing the console design and overall usability for our customers in Keyfactor 9. Beyond the obvious visual updates, there are several changes to the drop-downs, dialogues, and application settings to reduce clicks and make it even easier to manage your keys and certificates.

Watch the 3-minute video below for a quick overview of the new look and feel in Keyfactor 9. 

New Remote CA Gateway

In Keyfactor 9, we’re introducing a transformational new hybrid deployment model we call Certificate Lifecycle Automation as a Service (CLAaaS).

Keyfactor Command already offers the popular PKI as a Service (PKIaaS) to hundreds of customers large and small. However, some of our customers have specific policies or regulatory needs that require them to keep private PKI on-premise behind their firewall.

Certificate Lifecycle Management Deployment Models

Now with Keyfactor Command as a Service (aka CLAaaS), customers can run certificate automation in the cloud and integrate it directly with private certificate authorities (CAs) behind their firewall via the new Remote CA Gateway™.

The best part is that it only requires a single, outbound-only connection over port 443 back to the Keyfactor Cloud. It’s a win-win for security teams because they don’t need to reconfigure firewalls or set up a VPN connection.

Remote CA Gateway

Compare Keyfactor Command cloud, hybrid, and on-prem deployment options right here.

New Universal Orchestrator

Keyfactor Orchestrators are a powerful extension of the Keyfactor platform. Built on a modular, agentless architecture, orchestrators are the “worker bee” for Keyfactor Command, performing important tasks like SSL/TLS discovery, certificate store automation, CA management, and more, across highly distributed infrastructures.  

Keyfactor Orchestrators

Unlike the previous Windows Orchestrator, the new Universal Orchestrator can now run on both Windows and Linux, servers or containers, in the cloud or on-premise. 

This update gives customers much more flexibility to deploy agentless certificate discovery and lifecycle automation for key and certificate stores (e.g. IIS, F5, Netscaler, Azure Key Vault, etc.) across any environment. Just a single orchestrator instance can manage certificates across hundreds of devices and workloads.

Template-level Metadata

Keyfactor makes it easy for teams to tag and group certificates using custom metadata. It’s a really powerful feature to break down thousands or even millions of certificates into manageable groups that make sense for your business.

Before Keyfactor 9, administrators could define metadata fields system-wide. Now admins can apply settings to a metadata field on a per-template basis, so they can choose which fields are available for a certificate based on the template the requester selects during enrollment.


Many of our customers will be excited about this simple, yet powerful new feature, which gives them more granular control over certificate enrollment and streamlines the end-user experience for self-service requests.

Get started with Keyfactor 9

There are plenty more new features in Keyfactor 9 that we couldn’t possibly cover in one blog post. If you’re an existing customer, check out the release notes and documentation available on the customer portal to learn more.

New to Keyfactor? Request a demo of Keyfactor Command today to see how you can take control of every machine identity.