POST Certificate Collections Copy

The POST /CertificateCollections/Copy method is used to copy an existing saved collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). of certificates in order to create a new collection. The permissions, query and description of the existing collection are copied to the new collection. Providing the Query or Description parameterClosed A parameter or argument is a value that is passed into a function in an application. in the request overrides the copied value and replaces it with the value provided in the request. This method returns HTTP 200 OK on a success with details about the new certificate collection.

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:
/certificates/collections/read/
/certificates/collections/modify/
OR
/certificates/collections/read/#/ (where # is a reference to a specific certificate collection ID)
/certificates/collections/modify/#/ (where # is a reference to a specific certificate collection ID)

Permissions for certificates can be set at either the global or certificate collection level. See Certificate Collection Permissions for more information about global vs collection permissions.

See the information and example in the CopyFromId parameter.

Table 371: POST Certificate Collections Copy Input Parameters

Name In Description
Name Body Required. The name for the certificate collection. This name appears at the top of the page in the Keyfactor Command Management Portal for this collection and can be configured to appear on the Management Portal menu under Certificate Collections. It will also appear in other places within the Management Portal where you can reference certificate collections (e.g. expiration alerts and certain reports). Because it can appear on the menu and in selection dropdowns, the name should be fairly short.
Description Body Required. The description for the collection. This description appears at the top of the page in the Management Portal for this collection and can be more detailed than the collection name.

See also CopyFromId.
Query Body

Required*. A string containing the search criteria for the collection.

For example:

"Query": "(IssuedDate -ge \"%TODAY-7%\" AND TemplateShortName -ne NULL) OR (IssuedDate -ge \"%TODAY-7%\" AND IssuerDN -contains \"keyexample\")"

See Certificate Search Page for querying guidelines.

This parameter is required unless the CopyFromId is specified to create a new collection as a copy of an existing collection.

See also CopyFromId.
DuplicationField Body

An integer that sets the type of de-duplication (a.k.a. ignore renewed certificate results by) to apply to the collection when using the collection in areas of Keyfactor Command that apply de-duplication (e.g. expiration alerts). For more information, see Saving Search Criteria as a Collection. The default is 0. ClosedShow duplication field details.
ShowOnDashboard Body A Boolean that sets whether the results from this collection are included on the Management Portal dashboard Certificate Counts by Collection graph (true) or not (false). The default is false.
Favorite Body A Boolean that sets whether the collection appears on the Navigator (true) or not (false). The default is false.
CopyFromId Body

Required. An integer identifying an existing certificate collection from which to copy the query string.

Use the GET /CertificateCollections method (see GET Certificate Collections) to locate the ID of the collection whose query you wish to copy.

When you use this parameter, the permissions, query and description of the existing collection are copied to the new collection. Providing the Query or Description parameter in the request overrides the copied value and replaces it with the value provided in the request if the requesting user has global Read permissions for certificates. If the requesting user is granted Read permissions to the collection via collection-level security rather than global security, the Query the user provides will be appended to the existing query rather than overwriting it. See the below example.

Example:  Gina wants to create a new collection using the CopyFromId option. She first uses GET /CertificateCollections/{id} to list the collection she plans to copy from and sees the following results:
Copy
{
   "Id": 10,
   "Name": "Keyexample Collection",
   "Description": "Certificates in the Keyexample Domain",
   "Automated": false,
   "Content": "CN -contains \"keyexample.com\"",
   "DuplicationField": 2,
   "ShowOnDashboard": false,
   "Favorite": true
}

Gina wants her new certificate collection to retain the same collection-level permissions as the Keyexample Collection. However, she wants the collection to report on a different domain name. The Keyexample Collection is configured to grant collection-level permissions of Read, Edit Metadata, and Download with Private Key to the Power Users role.

At the Key Example company, users with the Power Users role do not have global certificate Read permissions because all certificate permissions are granted using certificate collection permissions. Only full Keyfactor Command administrators have global certificate Read permissions. Users with the Power Users role have Modify permissions for certificate collections to allow them to create new collections. This level of permissions is significant for what Gina wants to do. Gina holds the Power Users role and is not a full administrator.

Gina uses POST /CertificateCollections/Copy (or POST /CertificateCollections—the behavior and output would be the same) to create a new certificate collection using the CopyFromId option with the following command:

Copy
{
   "CopyFromId": 10,
   "Name": "Keyother Collection",
   "Description": "Certificates in the Keyother Domain",
   "Query": "CN -contains \"keyother.com\"",
   "DuplicationField": 2,
   "ShowOnDashboard": false,
   "Favorite": true
}

In the response, Gina sees the following:

Copy
{
   "Id": 15,
   "Name": "Keyother Collection",
   "Description": "Certificates in the Keyother Domain",
   "Automated": false,
   "Content": "(CN -contains \"keyexample.com\") AND (CN -contains \"keyother.com\")",
   "Query": "(CN -contains \"keyexample.com\") AND (CN -contains \"keyother.com\")",
   "DuplicationField": 2,
   "ShowOnDashboard": false,
   "Favorite": true
}

Notice that Gina has not achieved her desired goal. The new collection contains a query for both the keyexample.com domain and the keyother.com domain. Gina's new query was appended to the existing query rather than overwriting the existing query. This happened because Gina does not have global Read permissions for certificates and is done to prevent a user from increasing the scope of certificates they can view.

Gina asks Martha, who is a full Keyfactor Command administrator and has the global Read permissions for certificates, to copy the collection for her. Martha first deletes the first Keyother Collection that Gina created and then runs the same command that Gina ran to create a new collection.

In the response, Martha sees the following:

Copy
{
   "Id": 16,
   "Name": "Keyother Collection",
   "Description": "Certificates in the Keyother Domain",
   "Automated": false,
   "Content": "(CN -contains \"keyother.com\")",
   "Query": "(CN -contains \"keyother.com\")",
   "DuplicationField": 2,
   "ShowOnDashboard": false,
   "Favorite": true
}

Notice that when Martha runs the command, Gina's goal is achieved.

Table 372: POST Certificate Collections Copy Response Data

Name Description
ID The Keyfactor Command reference ID for the certificate collection. The ID is automatically assigned by Keyfactor Command.
Name The name for the certificate collection. This name appears at the top of the page in the Keyfactor Command Management Portal for this collection and can be configured to appear on the Management Portal menu under Certificate Collections. It will also appear in other places within the Management Portal where you can reference certificate collections (e.g. expiration alerts and certain reports). Because it can appear on the menu and in selection dropdowns, the name should be fairly short.
Description The description for the collection. This description appears at the top of the page in the Management Portal for this collection and can be more detailed than the collection name.
Content

A string containing the search criteria for the collection. This field contains the same value as Query and is retained for backwards compatibility.
Query

A string containing the search criteria for the collection.
DuplicationField

An integer that sets the type of de-duplication (a.k.a. ignore renewed certificate results by) to apply to the collection when using the collection in areas of Keyfactor Command that apply de-duplication (e.g. expiration alerts). For more information, see Saving Search Criteria as a Collection. ClosedShow duplication field details.
ShowOnDashboard A Boolean that sets whether the results from this collection are included on the Management Portal dashboard Certificate Counts by Collection graph (true) or not (false).
Favorite A Boolean that sets whether the collection appears on the Navigator (true) or not (false).
EstimatedCertCount An integer that is representative of the number of certificates that have been processed by theQueryItemsPopulator timer service. It is queryable but not sortable.
LastEstimated A date formatted MM/DD/YYYY hh:mm (i.e. 12/11/2023 12:45 PM) that is representative of the last time the collection was processed (i.e., the last time the QueryItemsPopulator timer service job ran).
Tip:  See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon () at the top of the Management Portal page next to the Log Out button.