Documentation Suite v25.1.1

Submit Search

POST Certificate Stores Approve

The POST /CertificateStores/Approve method is used to approve one or more certificate stores currently in the pending state—having been discovered using the certificate store discover option (see PUT Certificate Stores Discovery Job). If more than one certificate store is included in the array, all stores must be of the same store type (e.g. Java keystore). This endpoint An endpoint is a URL that enables the API to gain access to resources on a server. returns 204 with no content upon success.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/certificate_stores/modify/

/certificate_stores/modify/#/ (where # is a reference to a specific certificate store container ID)

Permissions for certificate stores can be set at either the global or certificate store container level. See Container Permissions for more information about global vs container permissions.

Table 398: POST Certificate Stores Approve Input Parameters

Name In Description

Body

Required. The GUID of the pending certificate store.

Use the GET /CertificateStores method (see GET Certificate Stores) with a query of “Approved -eq false” to retrieve a list of all your unapproved certificate stores to determine the GUID of the store.

ContainerId

Body

An integer that identifies the container in which the certificate store should be placed on approval. Use the GET /CertificateStores/Containers method (see GET Certificate Store Containers) to retrieve a list of your defined certificate store containers to determine the container ID to use.

CertStoreType Body Required. An integer indicating the ID of the certificate store type, as defined in Keyfactor Command, for this certificate store. Built-in certificates store types are: (0-Javakeystore, 2-PEMFile, 3-F5SSLProfiles,4-IISRoots, 5-NetScaler, 6-IISPersonal, 7-F5WebServer, 8-IISRevoked, 9-F5WebServerREST, 10-F5SSLProfilesREST, 11-F5CABundlesREST, 100-AmazonWebServices, 101-FileTransferProtocol). Any custom extensions for the Keyfactor Universal Orchestrator you add will have certificate store types numbered 102+.

Properties

Body

Required^*. Some types of certificate stores have additional properties that are stored in this parameter. The data is stored in a series of, typically, key value pairs that define the property name and value (see GET Certificate Store Types for more information).

When reading this field, the values are returned as simple key value pairs, with the values being individual values. When writing, the values are specified as objects, though they are typically single values.

For example, on a GET request for a PEM store configured with a separate private key, the contents of this field might be:

"{
\"privateKeyPath\":\"/opt/app/mystore.key\",
\"separatePrivateKey\":\"true\"
}"

However, the syntax used when updating the properties sets the value as a key value pair using value as the key. For example, on a POST or PUT request for a PEM store configured with a separate private key, the contents of this field might be:

Copy

{
   \"privateKeyPath\":{\"value\":\"/opt/app/mystore.key\"},
   \"separatePrivateKey\":{\"value\":\"true\"}
}

An example server properties parameter POST for an F5 or Citrix NetScaler store would contain:

Copy

"{
   \"ServerUsername\":{\"value\":{\"SecretValue\":\"KEYEXAMPLE\\\\jsmith\"}},
   \"ServerPassword\":{\"value\":{\"SecretValue\":\"MySuperSecretPassword\"}},
   \"ServerUseSsl\":{\"value\":\"true\"}
}"

An example server properties parameter POST for an F5 or Citrix NetScaler store with the username and password stored as PAM secrets would contain (where the Provider value—1 in this example—is the Id value from GET PAM Providers):

Copy

"{
   \"ServerUsername\":{\"value\":{\"Provider\":\"1\",\"Parameters\":{\"SecretId\":\"MyUserID\"}}},
   \"ServerPassword\":{\"value\":{\"Provider\":\"1\",\"Parameters\":{\"SecretId\":\"MyPasswordID\"}}},
   \"ServerUseSsl\":{\"value\":\"true\"}
}"

Note: There are three standard properties that are used for certificate store types that require server credentials (e.g. F5):

ServerUsername
ServerPassword
ServerUseSsl

These replace the separate certificate store server records that existed in previous versions of Keyfactor Command. For legacy support, if credentials are not provided through store properties during creation or editing of a certificate store, Keyfactor Command will attempt to find a certificate store server record and copy the credentials from it into the store properties for future use.

This field is required for certificate store types that store additional properties in this parameter.

InventorySchedule

Body

An object indicating the inventory schedule for this certificate store. Show schedule details.

Name Description

Off Turn off a previously configured schedule.

Immediate

A Boolean that indicates a job scheduled to run immediately (true) or not (false).

Tip: In some instances, jobs initially scheduled as Immediate will appear on a GET as null.

Interval

A dictionary that indicates a job scheduled to run every x minutes with the specified parameter. Any interval that is selected in the UI will be converted to minutes when stored in the database.

Name	Description
Minutes	An integer indicating the number of minutes between each interval.

For example, every hour:

Copy

"Interval": {
   "Minutes": 60
}

Daily

A dictionary that indicates a job scheduled to run every day at the same time with the parameter:

Name	Description
Time	The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2023-11-19T16:23:01Z).

For example, daily at 11:30 pm:

Copy

"Daily": {
   "Time": "2023-11-25T23:30:00Z"
}

Weekly

A dictionary that indicates a job scheduled to run on a specific day or days every week at the same time with the parameters:

Name	Description
Time	The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2023-11-19T16:23:01Z).
Days	An array of values representing the days of the week on which to run the job. These can either be entered as integers (0 for Sunday, 1 for Monday, etc.) or as days of the week (e.g. “Sunday”).

For example, every Monday, Wednesday and Friday at 5:30 pm:

Copy

"Weekly": {
   "Days": [
      "Monday",
      "Wednesday",
      "Friday"
   ],
   "Time": "2023-11-27T17:30:00Z"
}

Exactly Once

A dictionary that indicates a job scheduled to run at the time specified with the parameter:

Name	Description
Time	The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2023-11-19T16:23:01Z).

For example, exactly once at 11:45 am:

Copy

"ExactlyOnce": {
   "Time": "2023-11-27T11:45:00Z"
}

Tip: In some instances, jobs initially scheduled as Immediate will appear on a GET as ExactlyOnce.

Password

Body

Required. An object indicating the source for and details of the credential information Keyfactor Command will use to access the certificates in a specific certificate store (the store password). This is different from credential information Keyfactor Command uses to access a certificate store server as a whole. The former (this setting) is typically used for Java keystores; the latter is typically used for certificates stores in Windows certificate stores and on Citrix NetScaler and F5 devices and set at the server level, not the certificate store level.

Certificate stores that require credentials support up to three possible credential options:

Use no store password.

This option is supported for Java keystores that would normally require a password, but can be configured with the no password option (see Value, below).
Store the credential information in the Keyfactor secrets table.

A Keyfactor secret is a user-defined password that is encrypted and stored securely in the Keyfactor Command database.
Load the credential information from a PAM provider.

See Privileged Access Management (PAM) and PAM Providers for more information.

Show password details.

Name

Description

SecretValue

A string—submitted as an object—indicating a password to be stored as a Keyfactor secret.

Tip: To set the no password option on a store, submit the password with a null value. For example:

Copy

"Password": {
   "SecretValue": {null}
}

To set the value to a string to be stored in the Keyfactor secrets table, include the password in quotes. For example:

Copy

"Password": {
   "SecretValue": "MyVerySecurePassword"
}

SecretTypeGuid A string indicating the Keyfactor Command reference GUID for the type of credentials. This value is automatically set by Keyfactor Command.

InstanceId The Keyfactor Command reference ID for the secret provider. If you are using a secret provider with an integer ID, this will be used. This value is automatically set by Keyfactor Command.

InstanceGuid The Keyfactor Command reference GUID for the secret provider. If you are using a secret provider with a GUID ID, this will be used. This value is automatically set by Keyfactor Command.

ProviderTypeParameterValues

An array of objects containing the values for the provider types specified by ProviderTypeParams. Show PAM provider type parameter value details.

Name

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider type parameter.

Value

A string indicating the value set for the parameter (e.g. the name of the CyberArk folder where the protected object that stores the username or password resides).

Instance Id

An integer indicating the Keyfactor Command reference ID for the PAM provider. If you are attaching to something with an integer Id, this will be used.

Instance Guid

A string indicating the Keyfactor Command reference GUID for the PAM provider. If you are attaching to something with a GUID ID, this will be used.

Provider

An object containing information about the provider. Show PAM provider details.

Name

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider.

Name

A string indicating the internal name for the PAM provider.

Area

An integer indicating the area of Keyfactor Command the provider is used for. PAM providers generally have a value of 1, indicating they are used for certificate stores.

Provider Type

An array of objects containing details about the provider type for the provider, including:

Name

Description

A string indicating the Keyfactor Command reference GUID for the provider type.

Name

A string that indicates the name of the provider type.

Provider Type Params

An array of parameters that the provider type uses for data input in Keyfactor Command when creating new PAM provider and certificate store records.

See below instance of ProviderTypeParam for details.

Provider Type Param Values

An array of objects containing the values for the provider types specified by ProviderTypeParams. See the previous level of ProviderTypeParamValues for details.

Secured Area Id

An integer indicating the Keyfactor Command reference ID for the certificate store container the PAM provider is associated with, if any.

This is considered deprecated and may be removed in a future release.

Remote

A Boolean indicating whether the Remote Provider checkbox is checked when adding a new PAM provider (true), or not (false). See PAM Provider Configuration in Keyfactor Command.

Provider Type Param

An array of objects that the provider type uses for data input in Keyfactor Command when creating new PAM provider and certificate store records. Show PAM provider type parameter details.

Name

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider type parameter.

Name

A string indicating the internal name for the PAM provider type parameter.

Display Name

A string indicating the display name for the PAM provider type parameter. For parameters with an InstanceLevel of false, this name appears on the PAM provider dialog for the parameter when a user creates a new PAM provider. For parameters with an InstanceLevel of true, this name appears on the Server dialog for the parameter when a user creates a new PAM provider.

Data Type

An integer indicating the data type for the parameter. Possible values are:

1 = String
2 = Secret

Instance Level

A Boolean that sets whether the parameter is used to define the underlying PAM provider (false) or a field that needs to be set to a value when configuring a certificate store to use the PAM provider (true).

For an example, see GET PAM Providers.

Provider Type

An object containing details for the provider type.

Name	Description
Id	A string indicating the Keyfactor Command reference GUID for the PAM provider type parameter.
Name	A string indicating the internal name for the PAM provider type parameter.
Provider Type Params	Unused field

Provider

An integer indicating the Keyfactor Command reference ID for the PAM provider.

IsManaged A Boolean indicating whether the credentials for the store are managed by a PAM provider (true) or stored in the Keyfactor secrets table (false). This value is automatically set by Keyfactor Command.

This field is required for Java keystores.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: