Metadata Field Operations
To select a single row in the certificate metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. field grid, click to highlight it and then select an operation from either the top of the grid or the right-click menu.
Adding or Modifying a Metadata Field
To create a new metadata field or edit an existing one:
- In the Management Portal, browse to the System Settings Icon > Certificate Metadata.
-
On the Certificate Metadata page, click Add to create a new metadata field, or, to edit an existing one, double-click the row in the metadata grid, right-click the row and choose Edit from the right-click menu, or highlight the row in the grid and click Edit at the top of the grid.
Figure 413: Certificate Metadata
-
In the Metadata Edit dialog, enter a Name for your metadata field. This name appears in interfaces where you can use metadata, such as certificate details dialogs, alert dialogs, certificate imports and certificate requests. Once this field has a value associated with it for at least one certificate, you cannot change this name. The metadata name field cannot contain spaces; dashes and underscores are supported.
Important: Be sure to review the list of existing queryable certificate fields on the Certificate Search Page before adding a new metadata field, so you do not add a field of the same name or alias as an existing field. Doing so would cause a search or alert on that field to fail. For example, do not create a metadata field called NetBIOSRequester or its alias RequesterName, as this would match is an existing certificate field, and having a metadata field with this name would create issues. - Enter a Description for the metadata field. The description appears in a tool tip when users hover over the field name in places where metadata may be edited such as CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment, and the certificate details metadata tab.
-
The Enrollment Options provide three possible settings for the metadata field:
- Select the Optional radio button to allow users the option to either enter a value or not enter a value in the field when populating metadata fields.
- Select the Required radio button to force users to enter a value in the field when populating metadata fields. Required fields will be marked with *Required next to the field label on the Certificate Details dialog for a certificate and on the certificate enrollment pages.
- To hide the field on the enrollment pages (see Enrollment), select the Hidden radio button. Selecting the Hidden option does not hide the field in the certificate details (see Metadata Tab) or on the Add Certificate page (see Add Certificate).
-
Enter a short hint in the Hint field to provide the user with a clue as to what type of data should be entered in the field. If a hint has been provided for a specific metadata field, it will display in parentheses to the right of the metadata label in the CSR enrollment, PFX enrollment, and the certificate details metadata tab pages.
-
Select the Data Type for the field in the dropdown. The available field types are String (alphanumeric plus special characters), Integer (positive, negative or zero whole numbers), Date, Multiple Choice, Big Text, Email and Boolean (True/False). String fields support additional indexing, and so may be preferable for large databases where possible. The data type cannot be edited once the metadata field is saved.
The remaining fields on the dialog will vary depending on the data type selected. Table 81: Certificate Metadata Data Type Dialog Options shows the fields that appear based on the data type selected.
Table 81: Certificate Metadata Data Type Dialog Options
Data Type Character Limit Hint Default Value RegEx Message RegEx Validation Options Case-Sensitive Validation String
400 with indexing *Strings with RegEx Validation
Integer
32-bit (about 10 characters) Date
N/A Boolean
N/A Multiple Choice 4,000 Big Text 4,000 Email 100 (for all entries) Table 82: Certificate Metadata Data Type Table Legend
Symbol Option Available? Yes No - To set a default value with which to pre-populate the metadata field for new certificate requests made using the Management Portal enrollment pages, enter the desired value in the Default Value box, or, for Boolean fields, select the desired radio button. The default value option appears for string, integer, Boolean and multiple choice fields.
- Enter a RegEx Message to display for string metadata fields with RegEx A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields. validation defined when the user's entry does not match the expected regular expression A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields.. Tip: If you are using Case-Sensitive Validation for this field it is recommended to add a reference to that in the message.
-
For string fields, you can choose to enter a regular expression against which entered data will be validated in the RegEx Validation field. When a user enters information in a metadata field that does not match the specified regular expression, he or she will see the warning message specified in the RegEx Message field. The example regular expression shown in Figure 414: Create or Edit Certificate Metadata Field is:
^[A-Z][a-zA-Z'-]+\s((de|la|de la|van|von)\s)?[A-Z][a-zA-Z']+(-[A-Z][a-zA-Z'-]+)?(\s(Jr\.|Sr\.|I{1,3}))?$This regular expression specifies that the data entered in the field must consist of
- A first name, starting with an uppercase letter and optionally containing a hyphen or apostrophe. This is followed by a space.
- An optional lowercase prefix to the last name. The following prefixes are supported: de, la, de la, van, von. This is followed by a space.
- A last name starting with an uppercase letter and optionally containing a hyphen or apostrophe. The last name enforces that a hyphenated second last name starts with an uppercase letter while the first name does not. This is followed by a space.
- An optional suffix. The following suffixes are supported: Jr., Sr., I, II, III.
For more examples of regular expressions, see Regular Expressions.
-
For string metadata fields with RegEx Validation defined, there is also an option to set the validation for the field to be case-sensitive. Toggle the Case-Sensitive Validation button to enable this functionality. If the user's entry does not match the expected case, the RegEx Message will display. If the Case-Sensitive Validation option is toggled to off, even if the regular expression contains requirements to enforce case, such as those described in the previous entry, the case requirement will not be enforced. In other words, with the regular expression described above and the Case-Sensitive Validation option enabled, John Smith would be accepted, but john smith would not be. With the Case-Sensitive Validation option disabled, john smith would be accepted.
-
For multiple choice fields, enter the series of values that should appear in the field dropdown as a comma delimited list in the Options field.
For example:
Accounting,HR,IT,Marketing,SalesNote: The multiple choice options are displayed in the order entered in the comma delimited list. When a user selects a multiple choice value in a metadata field while editing a certificate, the value is saved to the database as the string (e.g. Marketing). Subsequently editing the series of values for the metadata field or rearranging them will not affect existing certificates configured with values for this field. - Click Save to save your metadata field.
Sorting Metadata Fields
You may change the display order for metadata fields. This affects how the fields display on the certificate details, certificate template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. details when configuring the metadata tab, and on enrollment pages.
To change the display order of a metadata field:
- Browse to System Settings Icon > Certificate Metadata.
- Right-click a grid row and choose Move from the right-click menu, or highlight the row in the grid and click Move at the top of the grid.
-
In the Display Order dialog enter the desired display order number and click Save. The value entered must fall within the current display order range. For example, if the current range is 0-12, enter 12 to move a field to the end of the list, not 13. The metadata field will move to the entered display order row and the metadata fields from the rows above and below will be re-ordered.
Figure 415: Metadata Display Order
Deleting a Metadata Field
Metadata fields cannot be deleted if they are associated with any certificate values.
To delete a metadata field:
- Browse to System Settings Icon > Certificate Metadata.
- Right-click a grid row and choose Delete from the right-click menu, or highlight the row in the grid and click Delete at the top of the grid.
-
If the metadata field is in use within Keyfactor Command (populated in certificates), you will be prompted to confirm the deletion. Type DELETE and the name of the metadata field to be deleted.
Figure 416: Metadata Confirm Deletion Dialog