Regular Expressions

Several fields on the CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., CSR generation, and PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment pages support using regular expressions to validate that the data entered in the fields meets certain criteria. Both certificate subject fields and metadataClosed Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. string fields can be configured with regular expressions. The certificate subject fields that support regular expressions are shown in Table 21: Supported Regular Expressions for Enrollment with Examples.

Regular expressions for enrollment can be defined at a system-wide level to apply to all enrollments and at a templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. level to apply only to enrollments done with that template. Template-level definitions take precedence over system-wide definitions.

Both the regular expressions that do the validation and the error message that the user receives when the validation fails are user definable. For example, for the common nameClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). field you could define a regular expressionClosed A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields. similar to the following:

^(?!-)(?!.*--)[A-Za-z0-9-]{1,63}(?<!-)(\.[A-Za-z0-9-]{1,63})*\.keyexample\.com$

This regular expression specifies that the data entered in the field must consist of 1 to 63 characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, and/or hyphens followed by exactly .keyexample.com. It disallows hyphens as the starting character—^(?!-)—or ending character—^(?!-)—of each label and disallows duplication of hyphens—(?!.*--). It allows periods between labels. Using this regular expression would prevent users from requesting certificates with common names such as myserver.contoso.com, forcing them to request certificates for domain names that are valid for your organization. Your error message to the user in this case might be something like:

Common names must be a valid subdomain of keyexample.com using only letters, numbers, hyphens (not consecutive or at the start/end), and periods.

The error message to the user appears immediately once the user leaves the field being validated after entering data that doesn’t meet the regular expression requirements.

Table 21: Supported Regular Expressions for Enrollment with Examples

Subject Part Example
CN (Common Name)

This regular expression specifies that the data entered in the field must consist of 1 to 63 characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, periods, and/or hyphens (but not at the beginning or end of sections or duplicated) followed by exactly .keyexample.com:

Copy
^(?!-)(?!.*--)[A-Za-z0-9-]{1,63}(?<!-)(\.[A-Za-z0-9-]{1,63})*\.keyexample\.com$

The default value for the Common Name regular expression is:

Copy
.+

This requires entry of at least one character in the Common Name field in the enrollment pages.

O (Organization)

This regular expression requires that the organization name entered in the field be one of “Key Example Inc”, “Key Example” or “Key Example Inc.”:

Copy
^(?:Key Example Inc|Key Example|Key Example, Inc\.)$

The period in the final company name (Key Example, Inc.) needs to be escaped in the regular expression with a slash ("\") but the comma does not.

OU (Organization Unit)

This regular expression requires that the organizational unit entered in the field be one of these four departments:

Copy
^(?:IT|HR|Accounting|E-Commerce)$
L (City/ Locality)

This regular expression requires that the city entered in the field be one of these five cities:

Copy
^(?:Boston|Chicago|New York|London|Dallas)$
ST (State/ Province)

This regular expression requires that the state entered in the field be one of these eight states:

Copy
^(?:Massachusetts|Illinois|New York|Ontario|Texas)$
C (Country)

This regular expression requires that the country entered in the field be either US or CA:

Copy
^(?:US|CA)$
E (Email)

This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, periods, underscores, percent signs, apostrophes, plus signs, and/or hyphens followed by exactly “@keyexample.com”:

Copy
^[A-Za-z0-9._%'+-]+@keyexample\.com$
DNS (Subject Alternative Name: DNS Name)

This regular expression specifies that the data entered in the field must consist of 1 to 63 characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, periods, and/or hyphens (but not at the beginning or end of sections or duplicated) followed by exactly either “.keyexample1.com” or “.keyexample2.com”:

Copy
^(?!-)(?!.*--)[A-Za-z0-9-]{1,63}(?<!-)(\.[A-Za-z0-9-]{1,63})*\.(keyexample\.com|keyexample2\.com)$
IPv4 (Subject Alternative Name: IPv4 Address)

This regular expression specifies that the data entered in the field must be exactly “130.101.” followed by a value between 0 and 255, followed by “.”, followed a value between 0 and 255:

Copy
^130\.101\.(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$

This regular expression specifies only that the IPv4 address is made up of 4 sets of values between 0 and 255 separated by periods:

Copy
^(?:[0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.(?:[0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.(?:[0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.(?:[0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$
IPv6 (Subject Alternative Name: IPv6 Address)

This regular expression specifies that the data entered in the field must be made up of up to eight sets of between one and four numbers and/or uppercase letters separated by colons:

Copy
^([A-F0-9]{1,4}:){1,7}([A-F0-9]{1,4})?(\:\:([A-F0-9]{1,4}:){0,6}[A-F0-9]{1,4})?$

This regular expression optionally matches a shorthand “::” that can replace one or more groups of zero segments, allowing the address to use shorthand notation.

MAIL (Subject Alternative Name: Email)

This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, periods, underscores, percent signs, apostrophes, plus signs, and/or hyphens followed by exactly “@keyexample.com”:

Copy
^[A-Za-z0-9._%'+-]+@keyexample\.com$
UPN (Subject Alternative Name: User Principal Name)

This regular expression specifies that the data entered in the field must consist of between 1 and 64 characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, spaces, and/or hyphens followed by exactly “@keyexample.com”:

Copy
^[A-Za-z0-9'_ -]{1,64}@keyexample\.com$

Figure 270: PFX Enrollment Regular Expression Validation Error

For more information about configuring regular expressions on metadata fields, see Certificate Metadata.