Today, we’re excited to announce our latest update to the Keyfactor platform.
Keyfactor 8 is packed with powerful new features and improvements, including a comprehensive UI/UX refresh, SSH key management, Swagger API, and new capabilities to better manage and control access to your CAs.
Here’s a quick breakdown of what’s new:
- Now you’re able to manage even more of your cryptographic landscape with the release of the SSH Key Manager, available as an add-on for Keyfactor Command
- As we improve authentication beyond Active Directory (AD), we’ve added the ability to connect to CAs with different (non-AD) authentication methods
- A new Swagger UI utility makes it easier for users to test and deploy API calls in their environment
- Several UI updates improve the overall user experience and bring direct feedback from our customers into their day-to-day workflow
So, we’ve covered the basics, let’s get into each feature.
SSH Key Management
SSH keys provide some of the highest levels of access in an organization’s infrastructure, yet they’re often overlooked by security teams. Admins come and go, keys don’t expire, and without any control, most companies wind up with thousands of unmanaged and vulnerable keys in their network.
Our new module, SSH Key Manager, gives security and network teams a simple, centralized solution to discover and manage SSH keys across their server and cloud infrastructure.
Here’s a quick demo preview of the new module:
The SSH Key Manager allows you to:
- Discover: Inventory SSH public keys across your servers and cloud infrastructure using the Bash Orchestrator
- Analyze: Review your key inventory to detect and remediate things like unauthorized root access, stale keys, and keys that belong to users that should no longer have access
- Rotate: Configure automated key rotation alerts and enable self-service key generation and rotation by SSH users
- Automate: Keep DevOps and admin teams moving with automated key deployment, which can be baked in to the server provisioning process in highly automated cloud environments
- Report: Generate reports to keep an eye on user and service account keys in your environment, including their lifecycle, access, and trust relationships
In this release, we focused heavily on delivering a refreshed user interface based on feedback directly from our customers. Below are just a few of the updates we’re bringing to the refreshed UI:
Now you can jump to documentation directly from the Keyfactor console. No need to look up a separate portal to remember how to change the default password length for a PFX enrollment, for example.
Updates to widget / grids make them more re-sizeable and sortable. They also include simple fixes to make your life easier, like multi-select (instead of CTRL + click).
We’ve added more basic / advanced tab options for things like CA configuration and application settings to hide the lesser-used features and simplify navigation.
We’ve introduced a much simpler way to search and manage certificate stores, moving from a tree-based file structure to a searchable interface.
Enhanced CA Authorization
Users now have the ability to connect to CAs in untrusted forests and login to Keyfactor from an untrusted forest to the forest where Keyfactor resides.
Previously, a delegated user in AD was required for permissions to enroll or inventory. Now we can request permission to enroll via a service account—and that service account doesn’t have to live in the forest Keyfactor is in. We can talk to any other Microsoft CA using these credentials without requiring trust.
Of course, we will not stop trusting our first inner circle of CAs, but we are expanding out to find new ones to allow for greater flexibility, smaller footprint (server-wise), and more secure (less need for trusts across forests) deployments, due to easier and more flexible authentication.
Additionally, we can now limit who can enroll for certificates from any CA (Microsoft or otherwise) by assigning specific Keyfactor Security Roles to be allowed permission to request certificates from the CA.
We’re not stopping there. We have plans to meet even more authentication methods and will provide news as it becomes available.
Since we’ve moved away from ADCS (Microsoft CA) as basis for permission to enroll for certificates, we can also enable enrollment permissions on a template by template basis within Keyfactor.
It’s no longer necessary to define individual user permissions at the CA level. Keyfactor Security Roles can be defined to restrict who can request certificates per template. This makes it much easier to control who can enroll for what, without reliance on AD.
In Keyfactor 8, we’ve introduced a new Swagger UI utility that allows users to visualize and interact with the Keyfactor API without any implementation logic in place. Not only is this easy to access directly from the application, it also makes it much easier to test API calls.
Our simplified API utility and documentation provides descriptions of all API calls and a “try it out” feature to give the API a spin without having to write your own code.
Save your seat at the upcoming Keyfactor Critical Trust Virtual Summit to hear from our team about the latest product updates, industry trends, and best practices to drive crypto-agility.