The PUT /CertificateStores/DiscoveryJob method is used to schedule a discovery job for certificate stores. The certificate store discovery feature is used to scan machines and devices for existing certificates and certificate stores, which can then be configured for management in Keyfactor Command. Certificate store discovery is supported for:
- PEM
A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. and Java certificate stores discovered by the Keyfactor Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed.. Only stores to which the service account running the Keyfactor Java Agent has at least read permissions will be returned on a discover job. - PEM, Java, F5, F5 bundle and SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificates discovered by the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. with an appropriate custom extension. For more information about the Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. and custom extensions, see Keyfactor Universal Orchestrator.
- Any custom certificate store types configured to support this function.
This endpoint An endpoint is a URL that enables the API to gain access to resources on a server. returns 204 with no content upon success. The method schedules the discovery job through the orchestrator. The results of the discovery job are determined separately (see POST Certificate Stores Approve).
Permissions for certificate stores can be set at either the global or certificate store container level. See Container Permissions for more information about global vs container permissions.
Table 395: PUT Certificate Stores Discovery Job Input Parameters
| Name | In | Description |
|---|---|---|
| ClientMachine | Body | Required. A string indicating the name in Keyfactor Command of the client machine that will do the discovery. This is not necessarily the actual DNS name of the server; the orchestrator may have been installed using an alternative as a reference name. |
| AgentId | Body | Required. A string indicating the Keyfactor Command reference GUID of the orchestrator for this store. |
| Type | Body | An integer indicating the ID of the certificate store type, as defined in Keyfactor Command, for this certificate store. Built-in certificates store types are: (0-Javakeystore, 2-PEMFile, 3-F5SSLProfiles,4-IISRoots, 5-NetScaler, 6-IISPersonal, 7-F5WebServer, 8-IISRevoked, 9-F5WebServerREST, 10-F5SSLProfilesREST, 11-F5CABundlesREST, 100-AmazonWebServices, 101-FileTransferProtocol). Any custom extensions for the Keyfactor Universal Orchestrator you add will have certificate store types numbered 102+. The default is 0 for a JKS discovery using the Keyfactor Java Agent. |
| JobExecutionTimestamp | Body | The date and time at which the discovery job should run. If no date is provided, the job will be scheduled to run immediately. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2023-11-19T16:23:01Z). |
| Dirs | Body | Required. A string containing the directory or directories to search during the discovery job. Multiple directories should be separated by commas.
|
| IgnoredDirs | Body | A string containing the directories that should not be included in the search. Multiple directories should be separated by commas. |
| Extensions | Body | A string containing the file extensions for which to search. For example, search for files with the extension jks in order to exclude files with other extensions such as txt. Use noext to search file files without extensions. The dot should not be included when specifying extensions. |
| NamePatterns | Body | A string against which to compare the file names of certificate store files and return only those that contain the specified string (e.g. myjks). |
| SymLinks | Body | A Boolean that sets whether the job should follow symbolic links on Linux and UNIX operating systems and report both the actual location of a found certificate store file in addition to the symbolic link pointing to the file. This option is ignored on Windows. |
| Compatibility | Body | A Boolean that sets whether the job will run using the compatibility mode introduced in Java version 1.8 to locate both JKS and PKCS12 type files (true) or not (false). This option applies only to Java keystore discover jobs. |
| ServerUsername | Body |
Required*. The username used to connect to the certificate store server. Note: Secret data is stored in the secrets table or a PAM provider and is not returned in responses.
This field is required only for select certificate store types that require authentication at the server level. These include F5, Citrix/NetScaler, IIS, and any other custom method you've defined to support this. |
| ServerPassword | Body |
Required*. The password used to connect to the certificate store server. Note: Secret data is stored in the secrets table or a PAM provider and is not returned in responses.
This field is required only for select certificate store types that require authentication at the server level. These includeF5, Citrix/NetScaler, IIS, and any custom method you've defined to support this. |
| ServerUseSsl | Body | A Boolean that indicates whether Keyfactor Command will use SSL to communicate with the certificate store server (true) or not (false). The default is false. |
An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (
) at the top of the Management Portal page next to the Log Out button.Was this page helpful? Provide Feedback