The GET /CertificateAuthority method is used to retrieve a list of certificate authorities defined in Keyfactor Command. This method returns HTTP 200 OK on a success with details for all the defined certificate authorities.
Table 313: GET Certificate Authority Input Parameters
| Name | In | Description |
|---|---|---|
| PageReturned | Query | An integer that specifies how many multiples of the returnLimit to skip and offset by before returning results, to enable paging. The default is 1. |
| ReturnLimit | Query | An integer that specifies how many results to return per page. The default is 50. |
| SortField | Query | A string containing the property by which the results should be sorted. Fields available for sorting through the API for the most part match those that appear as sortable columns in the Keyfactor Command Management Portal. The default sort field is Id. |
| SortAscending | Query | An integer that sets the sort order on the returned results. A value of 0 sorts results in ascending order while a value of 1 sorts results in descending order. The default is ascending. |
Table 314: GET Certificate Authority Response Data
| Name | Description |
|---|---|
| Id | An integer indicating the Keyfactor Command identifier for the certificate authority. The ID is automatically assigned by Keyfactor Command. |
| LogicalName | A string indicating the logical name of the certificate authority. |
| HostName | A string indicating the DNS hostname (for DCOM configurations) or URL (for HTTPS configurations) of the certificate authority (e.g. myca.keyexample.com or https://myca.keyexample.com). |
| Delegate |
A Boolean that sets whether management interactions with the certificate authority via Keyfactor Command should be done in the context of the user making the request (true). If set to false, these interactions are done in the context of the service account under which the Keyfactor Command application pool is running unless ExplicitCredentials is true. Important: Delegation is only supported with Microsoft CAs and has limitations. Be sure to read more about delegation in Adding or Modifying a DCOM CA before setting this option to true.
|
| DelegateEnrollment |
A Boolean that sets whether enrollment to the certificate authority via Keyfactor Command should be done in the context of the user making the request (true). If set to false, enrollment is done in the context of the service account under which the Keyfactor Command application pool is running unless ExplicitCredentials is true. Important: Delegation is only supported with Microsoft CAs and has limitations. Be sure to read more about delegation in Adding or Modifying a DCOM CA before setting this option to true.
|
| ForestRoot |
A string indicating the forest root name or DNS domain name for the certificate authority (e.g. keyexample.com). Note: This field is retained for legacy purposes and will auto-populate with the value provided in the ConfigurationTenant field.
|
| ConfigurationTenant |
A string indicating the forest root name or DNS domain name for the certificate authority (e.g. keyexample.com). For EJBCA CAs, this is a reference ID and does not need to be the DNS domain name. The short hostname of the EJBCA CA server makes a good reference ID. Important: EJBCA and Microsoft CAs cannot be configured with the same Configuration Tenant, so do not set this to the DNS domain name for an EJBCA CA if you will also be configuring Microsoft CAs in the same DNS domain.
|
| Remote | A Boolean that sets whether communications with the certificate authority are done via a Keyfactor Universal Orchestrator configured to manage remote CAs. If set to true, a value must be provided for the Agent. The default is false. |
| Agent | A string indicating the GUID of the Keyfactor Universal Orchestrator configured to manage the certificate authority (see Remote). |
| Standalone | A Boolean that sets whether the certificate authority is a standalone CA (true) or not (false). If both Standalone is set to true and AllowedEnrollmentTypes is set to 1 or 3, KeyRetention may be set. The default is false. |
| MonitorThresholds | A Boolean that sets whether threshold monitoring is enabled. If set to true, email alerts will be sent when certificate issuance or failures (including denials) since the last threshold alert was sent falls outside the configured limits. If this option is set to true, the following additional fields should also be set:
The DenialMax field has been deprecated and should always be zero. Monitoring is not supported for CAs accessed with the Keyfactor Universal Orchestrator. The default is false. See also ThresholdCheck to configure the monitoring frequency. Note: For full functionality of threshold monitoring, you must also configure email recipients for threshold alerts. These are configured globally rather than on a CA-by-CA basis. See Alert Recipients Tab for more information. |
| IssuanceMax | An integer that sets the maximum number of certificates that can be issued in the period between scheduled threshold monitoring alert emails before an alert is triggered. If more certificates than this are issued in the period, a notification will be included in the threshold monitoring email. This value is unset by default. |
| IssuanceMin | An integer that sets the minimum number of certificates that should be issued in the period between scheduled threshold monitoring alert emails before an alert is triggered. If fewer certificates than this are issued in the period, a notification will be included in the threshold monitoring email. This value is unset by default. |
| DenialMax | This is considered deprecated and may be removed in a future release. |
| FailureMax | An integer that sets the maximum number of certificate requests that can fail or be denied in the period between scheduled threshold monitoring alert emails before an alert is triggered. If more certificate requests than this fail in the period, a notification will be included in the threshold monitoring email. This value is unset by default. |
| RFCEnforcement |
A Boolean that sets whether certificate enrollments made through Keyfactor Command for this CA must include at least one DNS SAN (true) or not (false). In the Keyfactor Command Management Portal, this causes the CN entered in PFX enrollment to automatically be replicated as a SAN, which the user can either change or accept. For CSR enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate if this is set. The default is false. Tip: The RFCEnforcement option at the CA level is used only for standalone CAs. RFC enforcement for enterprise CAs is configured on a template-by-template basis (see PUT Templates).
|
| Properties | A string indicating additional properties about the certificate authority. This field is used to store the configuration for the Sync External Certificates option. This option allows foreign certificates that have been imported into a Microsoft CA to be synchronized to Keyfactor Command along with the certificates issued by the Microsoft CA. The setting is referenced using the following format: {\"syncExternal\":true} OR {\"syncExternal\":false} |
| AllowedEnrollmentTypes |
An integer that sets the type(s) of enrollment that are allowed through Keyfactor Command for the certificate authority. This value is 0 by default. |
| KeyRetention |
An integer that sets the type of key retention to enable for the certificate authority, if any. Values of 2 and 3 require setting KeyRetentionDays. This value is unset by default. Tip: The KeyRetention option at the CA level is used only for standalone CAs. Key retention for enterprise CAs is configured on a template-by-template basis (see PUT Templates).
KeyRetention on a CA may only be set to a value other than zero if both Standalone is set to true and AllowedEnrollmentTypes is set to 1 or 3. Some level of private key retention must be configured when using PFX enrollment with a standalone CA. See Adding or Modifying a DCOM CA for more information. |
| KeyRetentionDays | An integer indicating the number of days for which to retain the private keys for certificates issued by this certificate authority before scheduling them for deletion. This value is unset by default. |
| ExplicitCredentials | A Boolean that sets whether explicit credentials are enabled for this certificate authority (true) or not (false). Set this to true for CAs that do not support integrated authentication or are not configured for integrated authentication and enter credentials in the ExplicitUser and ExplicitPassword fields. This option is only supported for Microsoft CAs. The default is false. Tip: This option is set to true primarily for Microsoft CAs where integrated authentication is not supported. Integrated authentication is generally supported for Microsoft CAs, Keyfactor CA gateways, or Keyfactor CA management gateways on servers joined to the local Active Directory forest in which Keyfactor Command is installed and any Active Directory forests in a two-way trust with this forest. |
| SubscriberTerms |
A Boolean that sets whether to add a checkbox on the enrollment pages to force users to agree to a custom set of terms before enrolling (true) or not (false). The default is false. Note: The subscriber terms setting does not apply to enrollments done through the Keyfactor API.
Tip: Configure a link to the custom terms using the URL to Subscriber Terms application setting. See Application Settings: Enrollment Tab for more information.
|
| ExplicitUser | A string indicating the username, in the format DOMAIN\username, for a service account user in the forest in which the Microsoft CA resides or, for non-domain-joined machines, local machine account credentials on the machine on which the CA is installed when ExplicitCredentials is set to true. Tip: This service account user needs appropriate permissions in the Microsoft CA security settings to accomplish the tasks you plan to carry out for this CA through Keyfactor Command. For example:
Note: When the ExplicitCredentials option is configured, enrollment and other tasks (e.g. revocation) is done in the context of the user configured here, not the user making the request in Keyfactor Command. This overrides the existing AD security policy used by Keyfactor Command. |
| ExplicitPassword |
An object indicating the password information to use for authentication along with the ExplicitUser if ExplicitCredentials is True. Supported methods to store secret information are:
Due to its sensitive nature, this value is not returned in responses. |
| UseAllowedRequesters |
A Boolean that sets whether the allowed requesters option is enabled (true) or not (false). See also AllowedRequesters. The default is false. Tip: This option is supported for all CAs, but it must be used for Microsoft CAs where integrated authentication is not supported and EJBCA CAs. Integrated authentication is generally supported for Microsoft CAs, Keyfactor CA gateways, or Keyfactor CA management gateways on servers joined to the local Active Directory forest in which Keyfactor Command is installed and any Active Directory forests in a two-way trust with this forest. Since Keyfactor Command cannot make use of the access control model of the CA itself to determine which users can enroll for certificates at either a template or CA level without using integrated authentication, this setting replaces that functionality. This setting is similar to setting request certificates for the selected security roles at the CA level on a Microsoft CA.
Tip: For CAs in a two-way trust you don't usually need to enable UseAllowedRequesters on the CA, though this may be required in some circumstances depending on the security configuration in the environment. However, templates for a two-way trust environment always require configuration of this option at a template level to support enrollment (see Certificate Template Operations and see PUT Templates).
|
| AllowedRequesters |
An array of strings indicating Keyfactor Command security roles that are allowed to enroll for certificates via Keyfactor Command for this CA. For example: Copy
The allowed requesters option is used to select Keyfactor Command security roles that a user must belong to in order to successfully enroll for certificates in Keyfactor Command via this CA. This is used for EJBCA CAs and Microsoft CAs where integrated authentication is not supported. Integrated authentication is generally supported for Microsoft CAs, Keyfactor CA gateways, or Keyfactor CA management gateways on servers joined to the local Active Directory forest in which Keyfactor Command is installed and any Active Directory forests in a two-way trust with this forest. Since Keyfactor Command cannot make use of the access control model of the CA itself to determine which users can enroll for certificates at either a template or CA level without using integrated authentication, this setting replaces that functionality. This setting is similar to setting request certificates for the selected security roles at the CA level on a Microsoft CA. In addition to granting permissions at the CA level, you need to enable the UseAllowedRequesters option to grant permissions on a template-by-template basis (see PUT Templates). The values set here are only considered if UseAllowedRequesters is set to true. |
| FullScan |
An object indicating the schedule for the full synchronization of this certificate authority. Prior to Command v11, it was possible to create a Keyfactor schedule via the API that was impossible to display via the Management Portal schedule picker. For example, an interval that is not on the interval dropdown (e.g., every 107 minutes). Now, the API will also not allow interval values to be saved that cannot be represented in the Management Portal. Previously saved schedules that don't meet these restrictions can still be parsed and used, but not edited and re-saved, as a result errors may be encountered on re-saving invalid schedules that were created via the API. Tip: There are two types of synchronization schedules available for CAs—Full and Incremental. You do not necessarily need to configure both types. A full scan reads all the certificates and certificate requests in the CA database and synchronizes them to Keyfactor Command regardless of their current state in Keyfactor Command. An incremental scan reads the certificates and certificate requests in the CA database that have been generated since the last full or incremental scan and synchronizes them to Keyfactor Command. A common configuration would be a full scan once or twice a week to provide a clean image of the CA database with a frequent incremental scan to provide timely updates to Keyfactor Command. For a large CA database, a full scan can take a long time to complete. Since an incremental scan only synchronizes updates that have occurred to the CA database since the last synchronization was run, this process is generally quick (other than for the initial synchronization when Keyfactor Command is first installed). The frequency of the incremental scans would depend on the volume of certificate requests coming into the CA.
|
| IncrementalScan |
An object indicating the schedule for the incremental synchronization of this certificate authority. Prior to Command v11, it was possible to create a Keyfactor schedule via the API that was impossible to display via the Management Portal schedule picker. For example, an interval that is not on the interval dropdown (e.g., every 107 minutes). Now, the API will also not allow interval values to be saved that cannot be represented in the Management Portal. Previously saved schedules that don't meet these restrictions can still be parsed and used, but not edited and re-saved, as a result errors may be encountered on re-saving invalid schedules that were created via the API. |
| ThresholdCheck |
An object indicating the schedule for threshold monitoring checks on this certificate authority (see MonitorThresholds). |
| CAType |
An integer indicating the type of CA:
|
| AuthCertificatePassword |
An object indicating the password for the certificate to use to authenticate to the EJBCA CA. Due to its sensitive nature, this value is not returned in responses. |
| AuthCertificate |
An object containing information about the client certificate used to provide authentication to the EJBCA CA. This certificate is used to authenticate to the EJBCA database for synchronization, enrollment and management of certificates. |
| EnforceUniqueDN | A Boolean that sets whether the unique DN requirement is enforced on the CA (true) or not (false). Toggling this to enable it will cause Keyfactor Command, upon enrollment, to search the EJBCA CA for end entities with DNs that match the DN in the certificate request. If a matching DN is found, the process will update the existing end entity in EJBCA with the new certificate request information rather than creating a new end entity. If you enable this option in Keyfactor Command, it must also be enabled on the matching EJBCA CA. A mismatch in these settings can result in enrollment failures. This setting applies to HTTPS CAs only. |
| AllowOneClickRenewals | A Boolean that sets whether the CA will allow (true) One-Click Renewal on certificates in this CA or not (false). If you wish to use One-Click Renewal for certificates, the Allow One-Click Renewals option must be enabled in both the templates and CAs to which you want
One-Click Renewal
to apply (see
Certificate Template Operations
and
|
| NewEndEntityOnRenewAndReissue |
A Boolean that sets whether a renewal and reissue requests against an EJBCA CA will create a new end entity for the new certificate (true) or attempt to associate the new certificate with the existing end entity (false). The default is false. This value must be set to true for CA records created for the Keyfactor AnyCA Gateway REST to allow renewal and reissue enrollments to succeed. |
| LastScan | A string indicating the date, in UTC, on which a synchronization was last performed for the CA. |
An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (
) at the top of the Management Portal page next to the Log Out button.