API Change Log v25.1.1

APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. changes for this release of Keyfactor Command.

Table 1026: API Change Log v25.1.1

Endpoint Methods Action Notes
/CertificateAuthority GET, POST, PUT Updated The UseForEnrollment parameter has been added. The Allowed Requesters, AllowedEnrollmentTypes, and UseAllowedRequesters parameters are now used only for standalone CAs.
/CertificateAuthority/{id} GET Updated The UseForEnrollment parameter has been added. The Allowed Requesters, AllowedEnrollmentTypes, and UseAllowedRequesters parameters are now used only for standalone CAs.
/CertificateCollections/{id}/Favorite PUT Fixed Requests with a non-existant collection id no longer generate a success response.
/Certificates GET Updated
  • The following new query parsers have been added: AltKeyAlgorithm, CertificateAuthorityId, KeyAlgorithm, and TemplateId

  • Includes KeyAlgorithm (OID string) and AltKeyAlgorithm (OID string) in the response.

  • EnrollmentPatternID is an available parameter.

  • The return limit of 2100 has been changed so there is no defined limit now.

Note:  Using Keyfactor API Reference and Utility with a large return limit (>500) may not succeed due to browser response size limitations.
/Certificates/{id} GET Updated
  • Includes KeyAlgorithm (OID string) and AltKeyAlgorithm (OID string) in the response.

  • EnrollmentPatternID is an available parameter.

/Certificates/Metadata PUT Fixed Updating a metadata field with this endpoint no longer requires users to refresh the certificate search page in the Management Portal if they had it open when the metadata field was updated.
/Certificates/PrivateKey/{id} DELETE Fixed Requests with an invalid certificate ID in the ids parameter no longer result in a 500 error.
/Certificates/RevokeAll POST Fixed Requests with an invalid collectionId parameter no longer result in a 500 error.
/CertificateStore POST, PUT, GET Fixed The SetNewPasswordAllowed parameter is now based on whether the store requires a password AND whether the user has modify permissions on that store within Keyfactor Command.
/CertificateStores GET Updated The new query parameter ODKGSupported filters stores that support reenrollment/ODKG.
/CertificateStores/Reenrollment POST Fixed & Updated
  • Includes optional fields for SANs, metadata, owner role, and additional enrollment fields.

  • The endpoint now correctly honors the CA Use for Enrollment flag.

  • EnrollmentPatternID is an available parameter. If this value is not provided, the default enrollment pattern defined for the template provided in the request (see the Template parameter) will be used, if applicable.

/CSRGeneration/Generate POST Fixed
  • The Allow Wildcards flag in enrollment pattern policies is now correctly honored when generating a CSR.

  • EnrollmentPatternID is an available parameter. If this value is not provided, the default enrollment pattern defined for the template provided in the request (see the Template parameter) will be used, if applicable.

/Enrollment /PFX POST Updated EnrollmentPatternID is an required parameter. If this value is not provided, the default enrollment pattern defined for the template provided in the request (see the Template parameter) will be used.
/Enrollment /Renew POST Updated EnrollmentPatternID is an required parameter. If this value is not provided, the default enrollment pattern defined for the template provided in the request (see the Template parameter) will be used.
/Enrollment /CSR POST Updated EnrollmentPatternID is an required parameter. If this value is not provided, the default enrollment pattern defined for the template provided in the request (see the Template parameter) will be used.
Enrollment/PFX POST Updated One of either the Template or the EnrollmentPatternId is required unless the enrollment is being done against a standalone CA. If this value is not provided, the default enrollment pattern defined for the template provided in the request (see the Template parameter) will be used.
Enrollment/Renew POST Updated One of either the Template or the EnrollmentPatternId is required unless the enrollment is being done against a standalone CA. If this value is not provided, the default enrollment pattern defined for the template provided in the request (see the Template parameter) will be used.
/EnrollmentPatterns POST, GET Added New endpoints for managing enrollment patterns.
/EnrollmentPatterns POST, PUT Fixed The endpoints no longer accept requests with invalid values in the SubjectPart key for the Defaults parameter.
/EnrollmentPatterns/{id} GET, PUT, DELETE Added New endpoints for managing enrollment patterns.
/EnrollmentPatterns/{id}/Metadata GET Added New endpoints for managing enrollment patterns.
/EnrollmentPatterns/{id}/Settings GET Added New endpoints for managing enrollment patterns.
/EnrollmentPatterns/Settings GET, PUT Added New endpoints for managing enrollment patterns.
/EnrollmentPatterns/SubjectParts GET Added New endpoints for managing enrollment patterns.
/IdentityProviders POST Fixed The default value for the Timeout parameter is now 60 instead of 0.
/IdentityProviders GET Fixed Secret values now show a series of asterisks to indicate that the value is set, if applicable, rather than a null field.
/IdentityProviders/{id} GET Fixed Secret values now show a series of asterisks to indicate that the value is set, if applicable, rather than a null field.
/SMTP GET, PUT Updated The GET and PUT SMTP API endpoints have migrated to Version 2. Version 1 GET and PUT are deprecated for 25.1. If the RelayUsername is configured to use a PAM secret, the Version 1 GET and POST response will return UnsupportedPAMSecret as the value for RelayUsername because PAM secret is only available in Version 2 of the endpoints.
/Templates GET, PUT Info

The following parameters in this endpoint have been deprecated and may be removed in a future release:

  • AllowedEnrollmentTypes

  • AllowedRequesters

  • EnrollmentFields

  • FriendlyName

  • MetadataFields

  • RFCEnforcement

  • TemplateDefaults

  • TemplatePolicy

  • TemplateRegexes

  • UseAllowedRequesters

/Templates/{id} GET Info

The following parameters in this endpoint have been deprecated and may be removed in a future release:

  • AllowedEnrollmentTypes

  • AllowedRequesters

  • EnrollmentFields

  • FriendlyName

  • MetadataFields

  • RFCEnforcement

  • TemplateDefaults

  • TemplatePolicy

  • TemplateRegexes

  • UseAllowedRequesters

/Templates/Settings GET, PUT Info These endpoints have been deprecated and may be removed in a future release.
/Templates/Settings/SubjectParts GET Info This endpoint has been deprecated and may be removed in a future release.
/Workflow/Definitions/{definitionId} PUT, GET Updated The PushToCertStore parameter has been added for the ExpirationRenewal step type.
/Workflow/Definitions/{definitionid}/Steps PUT Fixed & Updated
  • The default value of the PushToCertStore configuration parameter of the ExpirationRenewal workflow step type now correctly sets to a Boolean true rather than a string “true”.

  • The PushToCertStore parameter has been added for the ExpirationRenewal step type.

/Workflow/Definitions/{definitionId}/Steps PUT Updated