API Change Log v25.2

APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. changes for this release of Keyfactor Command.

Table 1028: API Change Log v25.2

Endpoint Methods Action Notes
/Certificates/{id} GET Updated ContainerId parameter has been added to support providing authorization via certificate store container level permissions.
/Certificates/{id}/History GET Updated ContainerId parameter has been added to support providing authorization via certificate store container level permissions.
/Certificates/{id}/Owner PUT Updated ContainerId parameter has been added to support providing authorization via certificate store container level permissions.
/Certificates/{id}/Validate GET Updated ContainerId parameter has been added to support providing authorization via certificate store container level permissions.
/Certificates/Download POST Updated ContainerId parameter has been added to support providing authorization via certificate store container level permissions.
/Certificates/Locations/{id} GET Updated ContainerId parameter has been added to support providing authorization via certificate store container level permissions.
/Certificates/Metadata PUT Updated ContainerId parameter has been added to support providing authorization via certificate store container level permissions.
/Certificates/Recover POST Updated ContainerId parameter has been added to support providing authorization via certificate store container level permissions.
/Certificates/Revoke POST Updated ContainerId parameter has been added to support providing authorization via certificate store container level permissions.
/CertificateStores/Containers GET, POST, PUT Deprecated GET /CertificateStoreContainers has the same functionality with paging support.
/CertificateStoresTypes GET, POST, PUT Updated

The parameter ValidationOptions has been added for both Properties and EntryParameters:

  • EntryParameters: Options (optional/required/hidden) when adding or removing a certificate from a certificate store or initiating on-device key generation for the certificate store.

  • Properties: Options (optional/required/hidden) on the certificate store dialog while adding or editing a certificate store or approving a discovered certificate store.
/CertificateStoresTypes/{id} GET Updated

The parameter ValidationOptions has been added for both Properties and EntryParameters:

  • EntryParameters: Options (optional/required/hidden) when adding or removing a certificate from a certificate store or initiating on-device key generation for the certificate store.

  • Properties: Options (optional/required/hidden) on the certificate store dialog while adding or editing a certificate store or approving a discovered certificate store.
/CertificateStoreTypes/Name/{name} GET Updated

The parameter ValidationOptions has been added for both Properties and EntryParameters:

  • EntryParameters: Options (optional/required/hidden) when adding or removing a certificate from a certificate store or initiating on-device key generation for the certificate store.

  • Properties: Options (optional/required/hidden) on the certificate store dialog while adding or editing a certificate store or approving a discovered certificate store.
/CSRGeneration/Generate POST Updated Supports generation of CSRs with a primary ML-DSA key.
/Enrollment/AvailableRenewal/{id} GET Updated

The endpoints did not set the PFXRenewal flag if the OneClickRenewal flag was set. That error has been addressed in version 25.2, resulting in a potential change in the returned value. The The new enum values are:

  • None = 0

  • SeededPFXEnroll = 1

  • OneClick = 2

  • SeededCSREnroll = 4

    And when multiple are available the enum values are summed (for example both SeededPFX and OneClick but not SeededCSR would be 3 and all renewal types would be 7).

Permissions have also changed on the endpoint. Previously only CertificateEnrollment_EnrollPFX was required. Now, either CertificateEnrollment_EnrollPFX or CertificateEnrollment_EnrollCSR are can use the endpoint.

This endpoint is used to set the renew options in the UI from the certificate search page.
/Enrollment/CSR POST Updated

  • Supports generation of certificates with a primary ML-DSA key.

  • There are also two new optional parameters RenewalCert & RenewalCertificateCollectionId which were added to the POST /Enrollment/CSR endpoint for renewals.
/Enrollment/PFX v2 POST Updated Supports generation of certificates with a primary ML-DSA key.
/Enrollment/PFX v2 POST Updated Parameters AlternativeKeyType and AlternativeKeyLength have been added to support enrollment for hybrid certificates.
/Enrollment/Settings/{id} GET Updated KeyInfo under TemplatePolicy now includes MLDSA44, MLDSA65, and MLDSA87 parameters.
/EnrollmentPatterns GET, POST Updated

  • KeyInfo under Policies now includes MLDSA44, MLDSA65, and MLDSA87 parameters.

  • Policies now includes PrimaryKeyAlgorithm and AlternativeKeyAlgorithm parameters. These take precedence over the KeyInfo under Policies, which has been deprecated.
/EnrollmentPatterns/{id} GET, PUT Updated

  • KeyInfo under Policies now includes MLDSA44, MLDSA65, and MLDSA87 parameters.

  • Policies now includes PrimaryKeyAlgorithm and AlternativeKeyAlgorithm parameters. These take precedence over the KeyInfo under Policies, which has been deprecated.
/EnrollmentPatterns/{id}/Settings GET Updated KeyInfo under Policies now includes MLDSA44, MLDSA65, and MLDSA87 parameters.
/EnrollmentPatterns/Settings PUT, GET Updated KeyInfo under Policies now includes MLDSA44, MLDSA65, and MLDSA87 parameters.
/PermissionSets/My GET Updated Now includes security roles associated with the resultant permission set (to support the expanded change owner permission).
/Templates PUT Updated

  • The KeyAlgorithms parameter now includes PrimaryKeyAlgorithm and AlternativeKeyAlgorithm parameters. These take precedence over the KeyInfo under KeyAlgorithms, which has been deprecated.

  • KeyInfo under TemplatePolicy now includes MLDSA44, MLDSA65, and MLDSA87 parameters.

  • TemplatePolicy now includes PrimaryKeyAlgorithm and AlternativeKeyAlgorithm parameters. These take precedence over the KeyInfo under TemplatePolicy, which has been deprecated.
/Templates/{id} GET Updated

  • The KeyAlgorithms parameter now includes PrimaryKeyAlgorithm and AlternativeKeyAlgorithm parameters. These take precedence over the KeyInfo under KeyAlgorithms, which has been deprecated.

  • KeyInfo under TemplatePolicy now includes MLDSA44, MLDSA65, and MLDSA87 parameters.

  • TemplatePolicy now includes PrimaryKeyAlgorithm and AlternativeKeyAlgorithm parameters. These take precedence over the KeyInfo under TemplatePolicy, which has been deprecated.
/Templates/Settings PUT, GET Updated KeyInfo under TemplatePolicy now includes MLDSA44, MLDSA65, and MLDSA87 parameters.
Enrollment/AvailableRenewal/Thumbprint/{thumbprint} GET Updated

The endpoints did not set the PFXRenewal flag if the OneClickRenewal flag was set. That error has been addressed in version 25.2, resulting in a potential change in the returned value. The new enum values are:

  • None = 0

  • SeededPFXEnroll = 1

  • OneClick = 2

  • SeededCSREnroll = 4

    And when multiple are available the enum values are summed (for example both SeededPFX and OneClick but not SeededCSR would be 3 and all renewal types would be 7).

Permissions have also changed on the endpoint. Previously only CertificateEnrollment_EnrollPFX was required. Now, either CertificateEnrollment_EnrollPFX or CertificateEnrollment_EnrollCSR can use the endpoint.