Enrollment Patterns

Enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). patterns are used in conjunction with certificate templates to enroll for certificates through Keyfactor Command. They allow you to set parameters on enrollments (policies, default subjects, metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. values, etc.) differently for different groups of users while still using the same certificate template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.. In this way, you can avoid excess duplication of certificate templates at the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. level. One certificate template may be configured with multiple enrollment templates to meet different business needs; one enrollment pattern must always be defined as the default enrollment pattern for a given template. Enrollment patterns also provide the flexibility to limit access to CAs for selected groups, so group A can enroll for certificates from CA A, but group B does not see CA A as available for enrollment, even while both are using the same template.

Enrollment Pattern Settings

Enrollment pattern settings may be configured either at an individual enrollment pattern level or, for some settings, at a system-wide level.

Settings that may be configured at either the system-wide level or at the individual level include:

• Regular expressions used to validate that the data entered in the certificate subject fields meets certain criteria.

• Certificate subject defaults that define default values for select certificate subject parts that will auto-populate on the PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment and CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. generation pages in the Keyfactor Command Management Portal.

• Enrollment policies address various topics, including permitted key sizes and types, certificate owner behavior and defaults, and options for enabling wildcards, key reuse, and RFC 2818 enforcement during enrollment.

Settings found only at the individual enrollment pattern level include:

• Security roles that may enroll with the enrollment pattern, or whether Active Directory permissions are used instead of Keyfactor Command roles.

• Certificate Authorities (CAs) that may be enrolled against using the enrollment pattern.

• Types of enrollment supported by the enrollment pattern (e.g., PFX enrollment, CSR enrollment, and/or CSR generation).

• Custom enrollment fields used to supply custom request attributes to the CA during the enrollment process.

• Default metadata values, enrollment handling for each metadata field (whether the field is required, optional, or hidden), regular expressions applied to metadata fields, and options for multiple-choice metadata fields.

  Note:  System-wide metadata settings are configured on the Metadata page in System Settings, not at the system-wide level in enrollment patterns (see Certificate Metadata).