Certificate Template Operations

Templates need to be imported manually when using an EJBCA CA, a Microsoft CA in a different forest, or when running Keyfactor Command on a non-domain-joined server. Manual import is also required if you have added or modified a template on the CA—for example, by changing its name or key size The key size or key length is the number of bits in a key used by a cryptographic algorithm.—without waiting for or configuring the automated import process (see Certificate Templates). Templates are imported automatically only when Keyfactor Command is connected to a Microsoft CA on a domain-joined server in the same forest.

To import certificate templates:

1. On the Certificate Templates page, click Import Templates.

2. In the Select Configuration Tenant A grouping of CAs. The Microsoft concept of forests is not used in EJBCA so to accommodate the new EJBCA functionality, and to avoid confusion, the term forest needed to be renamed. The new name is configuration tenant. For EJBCA, there would be one configuration tenant per EJBCA server install. For Microsoft, there would be one per forest. Note that configuration tenants cannot be mixed, so Microsoft and EJBCA cannot exist on the same configuration tenant. dialog, select a configuration tenant in the dropdown.

   Tip:  Previous versions of Keyfactor Command referred to the Configuration Tenant as the Template Forest.

   Import once for each configuration tenant containing templates that you want to import. The import process may take several seconds.

Important:  Newly imported templates cannot be used for enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). until after the next execution of the CATemplateCache periodic task following import (see Keyfactor Command Service Automated Tasks).

The options configured in templates largely relate to how certificates issued with them are managed in Keyfactor Command and how certificates are issued through Keyfactor Command if an enrollment pattern is not specified for the enrollment.

To configure template options:

1. On the Certificate Templates page, select one of the following methods to edit an entry:

   • Double-click the row in the certificate template grid.
   • Right-click the row and choose Edit from the right-click menu.
   • Highlight the row in the grid and click Edit at the top of the grid.

2. When the template opens for editing, you will see two tabs. Follow the instructions for each tab provided below to enter the necessary data.

   At the top of the page above the tabs you will see four buttons:

   • Back: Return to the main certificate templates page without saving changes

   • Save: Save the changes to the template record

   • View on CA: View the details for this template as configured on the CA (see View on CA). Use the breadcrumbs or the Back button to return.

   • Copy on CA: Create a copy of this template as configured on the CA (see Copy on CA). Use the breadcrumbs or the Back button to return.

   Details Tab

   Details

   The information in the Details section is for reference and cannot be edited. This includes:

   • Template Short Name: The common name A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). of the template. This name typically does not contain spaces.

   • Template Display Name: The display name of the template.

   • OID: For a Microsoft certificate template, the object ID of the template retrieved from Active Directory. For an EJBCA certificate template, this field is generated within Keyfactor Command as an object identifier Object identifiers or OIDs are a standardized system for identifying any object, concept, or "thing" with a globally unambiguous persistent name., but does not follow official OID Object identifiers or OIDs are a standardized system for identifying any object, concept, or "thing" with a globally unambiguous persistent name. conventions.

   Key Types and Sizes

   The information in the Key Types and Sizes section reflects the primary key sizes and types supported by the template at the CA level. It is for reference and cannot be edited. This includes:

   • RSA Key Sizes: The supported key size(s) for the template.
   • ECC Curves: The elliptic curve algorithm(s) defined for the certificate template.
   • Supports Ed448: Whether the template supports the Ed448 A high-security elliptic curve algorithm, Ed448 is used for digital signatures and is known for providing very strong security while maintaining high performance. It is part of the Edwards-curve Digital Signature Algorithm (EdDSA) family. algorithm (Yes/No).
   • Supports Ed25519: Whether the template supports the Ed25519 Another member of the EdDSA family, Ed25519 is designed for high security and speed. It is widely used in modern cryptography and provides robust protection with a 256-bit key size. algorithm (Yes/No).
   • Supported ML-DSA Algorithms: A list of the supported ML-DSA algorithms.
   • Supported SLH-DSA Algorithms: A list of the supported SLH-DSA algorithms.

   Alternative Key Types

   The information in the Alternative Key Types section reflects the alternative key types supported by the template at the CA level. It is for reference and cannot be edited. This includes:

   • Supported ML-DSA Algorithms: A list of the supported ML-DSA algorithms.
   • Supported SLH-DSA Algorithms: A list of the supported SLH-DSA algorithms.

   Friendly Name

   In the Friendly Name section, enter a Friendly Name, if desired. Template friendly names, if configured, appear in template selection dropdowns in place of the template short names. This can be useful in environments where the template short names are long or not very human readable. This setting is not required.

   Enrollment

   Enable the Allow One-Click Renewals option, if desired. To use One-Click Renewal for certificates, the Allow One-Click Renewals option must be enabled in both the certificate templates and CAs to which you want One-Click Renewal to apply (see HTTPS CAs - Advanced Tab or DCOM CAs - Advanced Tab ). For more information about one-click renewals, see Renew/Reissue.

   Private Key Retention

   In the Private Key Retention section, enable Private Key Retention, if desired, and select the retention type in the dropdown. Enter the number of days, weeks, months, or years to keep the encrypted private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. stored in the Keyfactor Command database based on the type selected, then select the desired time frame (Day(s), Week(s), Month(s), or Year(s)). You will not have the option to choose a retention timeframe if you choose Indefinite.

   Note:  If private key retention is set at both the CA level and the template level, the configuration from the template is used.

   Configuring private key retention allows the private keys for certificates enrolled through Keyfactor Command to be stored, encrypted, in the Keyfactor Command database for a user-definable period of time.

   Important:  Any templates that are configured on the Microsoft CA Issuance Requirements tab for CA certificate manager approval cannot be used for PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment and associated pending, issued, and denied alerting in Keyfactor Command without configuring private key retention. Edit the template in Keyfactor Command, and on the Details tab check the Private Key Retention box. Set the dropdown to some value other than blank and for retention options of After Expiration or From Issuance, enter a value for the number of days, weeks, months or years to retain the private key. Without this setting, the template will not display on the template dropdown during PFX enrollment.

   

   Figure 288: Microsoft Issuance Requirements on a Template for Manager Approval

   Note:  This does not apply to certificate requests requiring approval at a Keyfactor Command workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. level.

   The private key retention configuration options are:

   • Blank

     The private key will not be retained if the box is unchecked, or the blank option is selected.

   • Indefinite

     The private key will be retained until it is explicitly deleted.

   • After Expiration

     The private key will be retained until the specified number of days, weeks, months or years after the certificate expires, at which point it will be scheduled for deletion.

   • From Issuance

     The private key will be retained until the specified number of days, weeks, months or years after the date on which the certificate was issued, at which point it will be scheduled for deletion.

   Note:  When the retention period is stored in the database, weeks are converted to 7 days, months are converted to 30 days, and years are converted to 365 days.

   Tip:  Setting the retention period to 0 will cause the private keys to be purged by the private key clean up job when it next runs, after the certificate expires or after the certificate is issued.

   

   Figure 289: Certificate Template: Details Tab for an EJBCA Template

   Certificate Cleanup

   The certificate cleanup task periodically removes expired certificates from the database. Once removed, these certificates will not be re-imported during a standard CA synchronization unless certificate cleanup is later disabled. CA synchronization tasks use the certificate cleanup settings to determine whether a certificate is eligible for cleanup and whether to exclude such certificates from import.

   Certificates that are saved in the Keyfactor Command database will not be removed if they are part of a certificate store or have been imported as the result of an SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scan.

   Certificate cleanup settings can be configured at three levels:

   • Certificate Template Record: If configured, overrides the system-wide settings when processing certificate cleanup tasks for certificates associated with this template. These cleanup tasks are processed first.

   • Certificate Authority (CA) Record: If configured, overrides the system-wide settings when processing certificate cleanup tasks for certificates associated with this CA but not associated with any template. These cleanup tasks are processed second.

   • System-Wide: Applies to all certificate authorities and templates in the system. These values are used when processing certificate cleanup tasks for certificates associated with neither a CA nor a template and when no overrides are set at the CA or template level. These cleanup tasks are processed last.

     Note:  For manually imported certificates without an associated template (e.g., from a standalone CA), system-wide cleanup settings will be applied even if the CA exists in Keyfactor Command. This occurs because Keyfactor Command cannot reliably associate such certificates with the correct CA.

   In the certificate cleanup section, configure the following options, if desired:

   • Certificate Cleanup Enabled for Template : Enable the periodic cleanup job to remove expired certificates from the database. The default is disabled.

   • Time After Expiration: The amount of time after expiration to wait until the certificate is eligible for removal. The default is 24.

   • Time After Expiration Units: The time unit to apply to the expiration time. Options are days, weeks, or months. The default is months.

   • Include Certificates with Archived Keys in Cleanup: Determines whether certificates with a private key stored in the system are eligible for removal. The default is disabled.

   Important:  If a certificate with a stored private key is deleted and later restored, the stored private key will not be restored.

   Note:  The system-wide settings for certificate cleanup are configured in application settings (see Application Settings: Console Tab).

   

   Figure 290: Certificate Template: Details Tab Certificate Cleanup Settings

   Metadata Tab

   Select metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. fields can be configured at three levels:

   • System-wide

   • Template level

   • Enrollment pattern level

   The multi-level configurable fields are:

   • Enrollment Handling: Specifies whether the field is Optional, Required, or Hidden during enrollment.

     Tip:  Administrators can control which metadata fields appear at the global, template, or enrollment pattern level. For example, setting fields A and B as Required or Optional and field C as Hidden on the Primary WebServer enrollment pattern ensures only fields A and B appear during enrollment for that pattern. Meanwhile, field C can be set as Required for a different enrollment pattern, allowing it to appear only when that pattern is used.

   • Default Value: A predefined value that populates during enrollment, which users can override.

   • RegEx Message: An error message displayed when the value entered in a string metadata field does not match the configured regular expression A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields..

   • RegEx Validation: An optional regular expression that validates input for string metadata fields during enrollment.

   • Case-Sensitive Validation: A toggle that enforces case-sensitive validation for regular expression checks, overriding any case-sensitivity defined in the regular expression itself.

   Note:  The order of precedence for evaluating metadata settings during enrollment is as follows:

   1. Enrollment Pattern:

      The enrollment pattern is evaluated first. If a value is set for the metadata field and setting (e.g., enrollment handling), that value is used, and any configuration for the same metadata field and setting at the template and system-wide levels is ignored. For enrollment pattern metadata configuration, see the enrollment patterns Enrollment Pattern: Metadata Tab.

   2. Template:

      If the enrollment pattern does not have a value set for the metadata field and setting, the template is evaluated. If the template has a value set, that value is used, and any configuration at the system-wide level is ignored.

   3. System-Wide Settings:

      If neither the enrollment pattern nor the template has a value set for the metadata field and setting, the system-wide settings are evaluated. Values configured at this level are used if set. For system-wide metadata settings, see Certificate Metadata under System Settings.

   Once the system-wide metadata has been defined, settings at the template level can be configured.

   To configure metadata fields for a template:

   1. On the Metadata tab, select one of the following methods to edit an entry:

      • Double-click the row in the Metadata grid.
      • Highlight the row in the grid and click Edit at the top of the grid.
   2. In the Metadata dialog in the System-Wide Settings section, review the existing system-wide settings for the metadata field.
   3. In the Template Settings section, click to toggle the Override System-Wide Settings button. Configure the settings for the metadata field. The available fields will vary depending on the type of the metadata field and may include:

      • Choose the enrollment handling for this template by selecting the appropriate radio button:

        • Optional: The metadata field will appear during enrollment with this template, but it will not be required to complete enrollment.

        • Required: This field will be required in order to complete enrollment with this template.

        • Hidden: This field will not be displayed during enrollment with this template.

      • Set the Default Value if desired. If no default value is desired, the field may be left blank. For Multiple Choice type metadata fields, this field will appear as a dropdown where you can select from the existing values configured for the metadata field.
      • If desired, set a RegEx Message and RegEx Validation string specific to the template used to validate the value upon enrollment, and any error message to display if the entry does not match the regex A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields. definition. For more information, see Adding or Modifying a Metadata Field. This option appears for string type metadata fields.
      • If desired, toggle the Case-Sensitive Validation option to a different value than is set at the system or enrollment pattern level for this metadata field. This toggle only becomes active once the RegEx fields are populated. This option appears for string type metadata fields.
   4. Click Save on the Metadata dialog to save changes for each metadata field.

   

   Figure 291: Template: Metadata Tab

   Tip:  Templates that are configured for CA-level key archiving are not supported for enrollment done through Keyfactor Command. For a Microsoft CA, this is the “Archive subject's encryption private key” setting on the template. For an EJBCA CA, this is the “Key Recoverable” setting on the end entity profile, which only appears if key recovery has been enabled in system configuration. An error similar to the following on enrollment is an indication that a Microsoft template is configured to archive the private key:

   The request is missing a required private key for archival by the server.

   For enrollments done through Keyfactor Command, use Keyfactor Command private key retention (see Details Tab).

The View on CA option is available for Microsoft and EJBCA templates accessed through a direct connection (not through a CA connector or gateway). The fields available for viewing are the same as those available when creating or editing a CA (see Create or Edit on CA) in a read-only state.

When you create a template in Keyfactor Command, the system automatically creates a corresponding certificate profile and end entity profile—both named after the template—in the associated EJBCA instance for the specified configuration tenant.

At least one CA from that EJBCA instance must be configured in Keyfactor Command before these options can be used. Templates cannot be created and linked to an existing end entity profile.

New templates are synchronized to the EJBCA instance immediately upon being saved.

To create a new template on the CA or edit an existing one:

1. On the Certificate Templates page, click Create on CA to add a new template, or select a row and click Edit on CA from either the top or right-click menu to modify an existing one.

   Important:  The Edit on CA option is available only when a template’s certificate profile and end entity profile have a one-to-one mapping—that is, when the certificate profile is linked to exactly one end entity profile and vice versa.

2. In the Select Configuration Tenant dialog, choose the configuration tenant for the EJBCA instance where you want to create the template.

   Only configuration tenants for EJBCA instances accessed directly from Keyfactor Command are shown. Tenants for Microsoft CAs or EJBCA instances accessed through a gateway or CA connector are not included. The list is not limited by EJBCA version.

3. On the Create on CA page, enter the following information and then click Save:

   • Name: A name for the template, which is used in EJBCA as both the certificate profile name and the end entity profile name.

   • Available CAs: In the dropdown, select one or more CAs—or check Select All. The selected CAs will be configured in the certificate profile and end entity profile as Available CAs.

   • Validity Period: Enter the validity period for certificates issued with this template.

   • Key Usage: In the dropdown, select one or more key usage values for certificates issued with this template.

   • Extended Key Usage: In the dropdown, select one or more extended key usage (EKU) values for certificates issued with this template. Use the filter to display only items whose names contain the typed text. The filter is case-sensitive.

     Note:  Only EKUs supported by Keyfactor Command (see Extended Key Usages) can be applied to templates for an EJBCA CA. Templates that include EKUs defined directly in EJBCA but not supported by Keyfactor Command can be viewed in Keyfactor Command, but they cannot be edited or saved.

   • Certificate Policies: To add a certificate policy, click Add, and in the Certificate Policies dialog, enter the following information:

     • Policy Id: Specifies the unique Object Identifier (OID) that identifies the certificate policy. The OID links the certificate to a specific policy definition in your organization’s Certification Practice Statement (CPS) or internal PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. policy framework.

     • Type: Defines the type of information associated with the policy. The dropdown options are No Policy Qualifier (no additional data), User Notice Text (a short human-readable message), or CPS URI (a link to the applicable policy document).

     • Value: Specifies the content for the selected type. Enter the URI when the type is CPS URI, or the explanatory text or disclaimer when the type is User Notice Text. Leave this field empty when the type is No Policy Qualifier.

     

     Figure 292: Add Certificate Policy During Create on CA

   • Custom Extensions: If any custom certificate extensions have been defined in your EJBCA instance, they will be available in this dropdown to be associated with the new template. Use the filter to display only items whose names contain the typed text. The filter is case-sensitive. See also View Extensions.

     Tip:  If two or must custom certificate extensions are configured in your EJBCA instance with the same name, only one of these will be displayed. Update the extension in EJBCA to give it a unique name to allow all extensions to appear in Keyfactor Command.
     Note:  When retrieving custom extensions, Keyfactor Command assumes that each configuration tenant and hostname The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername). combination (for example, https://my-ejbca.keyexample.com) is unique. If a configuration tenant in Keyfactor Command is associated with more than one hostname, extensions are retrieved from the first hostname found for the specified configuration tenant.
   • RSA Key Sizes: In the dropdown, select any RSA A widely used public-key cryptosystem, RSA is commonly used for encryption and digital signatures. It is based on the mathematical difficulty of factoring large integers. key sizes to associate with the template.
   • ECC Curves: In the dropdown, select any ECC Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers. curves to associate with the template.
   • Ed25519: Enable this option for the template, if desired.
   • Ed448: Enable this option for the template, if desired.
   • ML-DSA Algorithms: In the dropdown, select any ML-DSA algorithms to associate with the template.
   • SLH-DSA Algorithms: In the dropdown, select any SLH-DSA algorithms to associate with the template.
   • Alternative ML-DSA Algorithms: In the dropdown, select any ML-DSA algorithms to associate with the template as alternative keys.
   • Alternative SLH-DSA Algorithms: In the dropdown, select any SLH-DSA algorithms to associate with the template as alternative keys.
   

   Figure 293: Templates: Create on CA

Default Settings

When Keyfactor Command creates or edits an EJBCA certificate profile and end entity profile, several settings are automatically configured and retained on future edits. These settings differ slightly depending on whether they’re always applied or applied only when a related object is included in the request.

Default Certificate Profile Settings

The following certificate profile settings are automatically configured when a template is created and remain unchanged on subsequent edits:

• Version: 1

• Type: End Entity

• Signature Algorithm: Inherit from Issuing CA

• Authority Information Access: Use

• Use CA defined CA issuer (AIA The authority information access (AIA) is included in a certificate--if configured--and identifies a location from which the chain certificates for that certificate may be retrieved.): Use

• CRL Distribution Points: Use

• Use CA defined CRL Distribution Point: Use

• Use CA defined OCSP locator: Use

• LDAP DN order: Use

• Subject Key ID: Use

Default Certificate Profile Settings When a Related Object Is Provided

These certificate profile settings are also configured and preserved, but only if a related object of that type is included in the request:

• Extended Key Usage: Use
• Certificate Policies: Use

• Alternative Signature: Use

Default End Entity Profile Settings

These end entity profile settings are also configured by default:

• Type: Default

• Version: 1

• Default Certificate Profile: The certificate profile being creating

• Available Tokens: User Generated, P12 A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. File, BCFKS File, JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption. File, PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. File

• Subject Alternative Name:

  • DNS The Domain Name System is a service that translates names into IP addresses. Name (six preconfigured entries)

  • IP Address

  • MS UPN, User Principal Name

  • RFC 822 Name (e-mail address)

  • MS GUID, Globally Unique Identifier

• Subject DN Attributes: CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com)., O, OU, L ST, C, E, DC

• Default Token: User Generated

• Default CA: The first available CA provided in template

The Copy on CA option creates a new template on an EJBCA instance by copying an existing template from either an EJBCA instance or a Microsoft CA configured in Keyfactor Command.

When you create a template in Keyfactor Command with the copy option, the system automatically creates a corresponding certificate profile and end entity profile—both named based on the new name of the template—in the associated EJBCA instance for the specified configuration tenant.

At least one CA from that EJBCA instance must be configured in Keyfactor Command before this option can be used. Templates cannot be created and linked to an existing end entity profile.

New templates are synchronized to the EJBCA instance immediately upon being saved.

To create a template as a copy of an existing template:

1. On the Certificate Templates page, select a row and click Copy on CA from either the top or right-click menu.

2. In the Select Configuration Tenant dialog, choose the configuration tenant for the EJBCA instance where you want to create the template.

   Only configuration tenants for EJBCA instances accessed directly from Keyfactor Command are shown. Tenants for Microsoft CAs or EJBCA instances accessed through a gateway or CA connector are not included. The list is not limited by EJBCA version.

3. On the Copy on CA page, update the information copied from the original template as required and then click Save.

   • Name: A name for the template, which is used in EJBCA as both the certificate profile name and the end entity profile name.

   • Available CAs: In the dropdown, select one or more CAs—or check Select All. The selected CAs will be configured in the certificate profile and end entity profile as Available CAs.

   • Validity Period: Enter the validity period for certificates issued with this template.

   • Key Usage: In the dropdown, select one or more key usage values for certificates issued with this template.

   • Extended Key Usage: In the dropdown, select one or more extended key usage (EKU) values for certificates issued with this template. Use the filter to display only items whose names contain the typed text. The filter is case-sensitive.

     Note:  Only EKUs supported by Keyfactor Command (see Extended Key Usages) can be applied to templates for an EJBCA CA. Templates that include EKUs defined directly in EJBCA but not supported by Keyfactor Command can be viewed in Keyfactor Command, but they cannot be edited or saved.

   • Certificate Policies: To add a certificate policy, click Add, and in the Certificate Policies dialog, enter the following information:

     • Policy Id: Specifies the unique Object Identifier (OID) that identifies the certificate policy. The OID links the certificate to a specific policy definition in your organization’s Certification Practice Statement (CPS) or internal PKI policy framework.

     • Type: Defines the type of information associated with the policy. The dropdown options are No Policy Qualifier (no additional data), User Notice Text (a short human-readable message), or CPS URI (a link to the applicable policy document).

     • Value: Specifies the content for the selected type. Enter the URI when the type is CPS URI, or the explanatory text or disclaimer when the type is User Notice Text. Leave this field empty when the type is No Policy Qualifier.

     

     Figure 294: Add Certificate Policy During Create on CA

   • Custom Extensions: If any custom certificate extensions have been defined in your EJBCA instance, they will be available in this dropdown to be associated with the new template. Use the filter to display only items whose names contain the typed text. The filter is case-sensitive. See also View Extensions.

     Tip:  If two or must custom certificate extensions are configured in your EJBCA instance with the same name, only one of these will be displayed. Update the extension in EJBCA to give it a unique name to allow all extensions to appear in Keyfactor Command.
     Note:  When retrieving custom extensions, Keyfactor Command assumes that each configuration tenant and hostname combination (for example, https://my-ejbca.keyexample.com) is unique. If a configuration tenant in Keyfactor Command is associated with more than one hostname, extensions are retrieved from the first hostname found for the specified configuration tenant.
   • RSA Key Sizes: In the dropdown, select any RSA key sizes to associate with the template.
   • ECC Curves: In the dropdown, select any ECC curves to associate with the template.
   • Ed25519: Enable this option for the template, if desired.
   • Ed448: Enable this option for the template, if desired.
   • ML-DSA Algorithms: In the dropdown, select any ML-DSA algorithms to associate with the template.
   • SLH-DSA Algorithms: In the dropdown, select any SLH-DSA algorithms to associate with the template.
   • Alternative ML-DSA Algorithms: In the dropdown, select any ML-DSA algorithms to associate with the template as alternative keys.
   • Alternative SLH-DSA Algorithms: In the dropdown, select any SLH-DSA algorithms to associate with the template as alternative keys.
   

   Figure 295: Templates: Copy on CA

Default Settings

When Keyfactor Command creates or edits an EJBCA certificate profile and end entity profile, several settings are automatically configured and retained on future edits. These settings differ slightly depending on whether they’re always applied or applied only when a related object is included in the request.

Default Certificate Profile Settings

The following certificate profile settings are automatically configured when a template is created and remain unchanged on subsequent edits:

• Version: 1

• Type: End Entity

• Signature Algorithm: Inherit from Issuing CA

• Authority Information Access: Use

• Use CA defined CA issuer (AIA): Use

• CRL Distribution Points: Use

• Use CA defined CRL Distribution Point: Use

• Use CA defined OCSP locator: Use

• LDAP DN order: Use

• Subject Key ID: Use

Default Certificate Profile Settings When a Related Object Is Provided

These certificate profile settings are also configured and preserved, but only if a related object of that type is included in the request:

• Extended Key Usage: Use
• Certificate Policies: Use

• Alternative Signature: Use

Default End Entity Profile Settings

These end entity profile settings are also configured by default:

• Type: Default

• Version: 1

• Default Certificate Profile: The certificate profile being creating

• Available Tokens: User Generated, P12 File, BCFKS File, JKS File, PEM File

• Subject Alternative Name:

  • DNS Name (six preconfigured entries)

  • IP Address

  • MS UPN, User Principal Name

  • RFC 822 Name (e-mail address)

  • MS GUID, Globally Unique Identifier

• Subject DN Attributes: CN, O, OU, L ST, C, E, DC

• Default Token: User Generated

• Default CA: The first available CA provided in template

Custom certificate extensions are configured on an EJBCA instance to support a variety of custom needs. Within Keyfactor Command, they are sometimes used to support the use of custom SANs or a large number of SANs (see Appendix - Configuring Support for Large or Custom SANs with EJBCA) or for use with the Keyfactor Windows Enrollment Gateway. The View Extension option allows you to view or edit the custom certificate extensions configured on an EJBCA instance from within Keyfactor Command. This function is based on a configuration tenant rather than an individual template.

To add a new custom extension or edit an existing one:

1. On the Certificate Templates page, click View Extension.
2. Select the Configuration Tenant of the EJBCA instance you wish to manage.
3. On the Custom Certificate Extensions page, click Add to add a new extension, or select an extension and click Edit.

4. Enter the following information:

   • Name: Give the extension a name for your reference. The name must be unique and cannot differ by case (you cannot create one called My Extension and another called my extension).

   • OID: Enter a valid OID for the extension. The OID does not need to be unique between extensions.

   • Required: Click to enable the required option.

   • Critical: Click to enable the critical option.

5. Click to Save the record. The extension will be synchronized to the EJBCA instance immediately.

Figure 296: Edit Custom Certificate Template Extensions

To view the certificates in the Keyfactor Command database for a given template, highlight the template in the grid and click View Certificates at the top of the grid or right-click the template and choose View Certificates from the right-click menu. This will take you to the certificate search page with the query field populated by the selected template (see Certificate Search Page). You can save the search as a certificate collection at that point if desired (see Saving Search Criteria as a Collection).