POST Enrollment Renew

The POST /EnrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)./Renew method is used to enroll for a certificate renewal for a certificate that exists in Keyfactor Command. This method returns HTTP 200 OK on a success with details of the new certificate. For certificates in a certificates store, this method does not automatically deploy the new certificate to the certificate store. In this case, the renew request should be followed by a call to either the POST /Enrollment/PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers./Deploy method or POST /Enrollment/PFX/Replace method to deploy the new certificate to the certificate store.

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:

/certificates/collections/read/
OR
/certificates/collections/read/#/ (where # is a reference to a specific certificate collection ID—see CollectionID, below)
OR
/certificate_stores/read/
OR
/certificate_stores/read/#/ (where # is a reference to a specific certificate store container ID—see ContainerID, below)
AND
/certificates/enrollment/pfx/
AND
/certificate_stores/schedule/ (if the certificate is to be deployed to a certificate store)
OR
/certificate_stores/schedule/#/ (where # is a reference to the specific certificate store container, if the certificate is to be deployed to a certificate store—see ContainerID, below)

Permissions for certificates can be configured at multiple levels. You can apply them system-wide—for all certificates or all certificate stores—or use fine-grained control by assigning permissions at the certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). or certificate store container level. The appropriate level depends on how the certificates are accessed. See Certificate Collection Permissions and Container Permissions for more information about system-wide versus more targeted permission models.

Global or container-level schedule permissions for certificate stores are needed to install a certificate generated with this method into a certificate store using the POST /Enrollment/PFX/Deploy method (see POST Enrollment PFX Deploy) or POST /Enrollment/PFX/Replace method (see POST Enrollment PFX Replace).

Table 478: POST Enrollment Renew Input Parameters

Name In Description
CollectionId Query

An optional integer that specifies the certificate collection (CollectionId) to validate whether the user has sufficient permissions to perform the action. If a CollectionId is not provided, the user must have appropriate permissions granted system-wide or via certificate store containers.

Providing a CollectionId allows the system to check the user's permissions at the certificate collection level. Permissions are evaluated in the following order:

  1. System-wide certificate permissions
  2. Granular certificate permissions

Use either ContainerId or CollectionId, not both. If both are specified, CollectionId takes precedence, and the ContainerId is ignored (defaults to 0).

See Certificate Collection Permissions for more information.

ContainerId Query

An optional integer that specifies the certificate store container (ContainerId) to validate whether the user has sufficient permissions to perform the action. If a ContainerId is not provided, the user must have appropriate permissions granted system-wide or via certificate collections.

Providing a ContainerId allows the system to check the user's permissions at the container level. Permissions are evaluated in the following order:

  1. System-wide certificate store container permissions
  2. Granular certificate store container permissions

Use either ContainerId or CollectionId, not both. If both are specified, CollectionId takes precedence, and the ContainerId is ignored (defaults to 0).

See Container Permissions for more information.

CertificateAuthority Body

Required in some cases. A string that sets the name of the certificate authority that will be used to enroll against. The certificate authority name should be provided in hostname\\logical name format. For example:

corpca01.keyexample.com\\CorpIssuingCA1

This field is required if one-click renewal is not supported for the certificate (see GET Enrollment Available Renewal ID or GET Enrollment Available Renewal Thumbprint).

CertificateId Body

Required in some cases. The integer for the certificate in Keyfactor Command that needs to be renewed.

Either the CertificateId or the Thumbprint is required but not both.

Enrollment Pattern Id Body

Required in some cases. An integer indicating the enrollment pattern to use when renewing the certificate. If this value is not provided, the default enrollment pattern defined for the template provided in the request (see the Template parameter) will be used.

One of either the Template or the EnrollmentPatternId is required unless:

If both the Template and EnrollmentPatternId are provided, the settings from the enrollment pattern take precedence. If both are specified, the enrollment will fail if the Template does not match the one defined by the specified enrollment pattern.

Template Body

Required in some cases. A string that sets the name of the certificate template that should be used to issue the certificate. The template short name should be used. See also EnrollmentPatternId.

One of either the Template or the EnrollmentPatternId is required unless:

If both the Template and EnrollmentPatternId are provided, the settings from the enrollment pattern take precedence. If both are specified, the enrollment will fail if the Template does not match the one defined by the specified enrollment pattern.

Important:  The template must be configured with at least one enrollment pattern in order to be used for enrollment (see POST Enrollment Patterns).
Note:  This parameter is considered deprecated and may be removed in a future release.
Thumbprint Body

Required in some cases. The thumbprint for the certificate that needs to be renewed.

Either the CertificateId or the Thumbprint is required but not both.

Timestamp Body

Required. The current date and time. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g., 2023-11-19T16:23:01Z).

Table 479: POST Enrollment Renew Response Data

Name Description
DispositionMessage Enrollment message (e.g., The private key was successfully retained.).
IssuerDN Issuer DN of the certificate.
KeyfactorID ID of the certificate in Keyfactor Command.
KeyfactorRequestID ID of the request in Keyfactor Command.
Password A password generated for convenience for use on installation to a certificate store. This password may be used when deploying the certificate to a certificate store using the POST /Enrollment/Deploy method, though an alternate password may be used. The passwords do not need to match.
RequestDisposition State of the request (e.g., issued).
SerialNumber Serial number of the certificate.
Thumbprint Thumbprint of the certificate.
Tip:  See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon () at the top of the Management Portal page next to the Log Out button.