Interoperability

This page summarizes Keyfactor Command's interoperability across common formats, algorithms, enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). protocols, HSMs, and relevant standards. It highlights what’s officially supported, what’s been validation-tested, and what is known to be compatible in customer environments. It isn’t an exhaustive list of every possible integration.

What Supported Means

  • Supported: Actively covered by product design and QA; eligible for standard support.

  • Validation-tested: Tested with specific versions or profiles; support is best-effort if you deviate.

  • Compatible: Known to work, but not in current test matrix; support limited to guidance.

Specifications

This section lists Keyfactor Command’s supported certificate formats and standards, algorithms and key types, and certificate enrollment protocols to help you verify compatibility and plan integrations.

Certificate Formats and Standards

Keyfactor Command supports the following formats and standards.

Table 3: Certificate Formats and Standards

Supported Standard External Reference Documentation
X.509/PKIX: Certificate and CRL Profile RFC 5280
PEM: Textual Encodings of PKIX, PKCS, and CMS Structures RFC 7468
PKCS#10: Certification Request Syntax RFC 2986
PKCS#7: Cryptographic Message Syntax RFC 5652
PKCS#12: Personal Information Exchange Syntax RFC 7292
RFC 9525: Service Identity in TLS (obsoletes RFC 6125; see also RFC 2818)

RFC 2818

RFC 9525

Algorithms and Key Types

Keyfactor Command supports the following algorithm types, key sizeClosed The key size or key length is the number of bits in a key used by a cryptographic algorithm., curves, and parameterClosed A parameter or argument is a value that is passed into a function in an application. sets.

Table 4: Algorithms and Key Types

Algorithm Key Size / Curve / Parameter Set Notes External Reference Documentation
ECDSA

  • B-571

  • B-409

  • B-283

  • B-233

  • B-163

  • brainpoolP160r1

  • brainpoolP160t1

  • brainpoolP192r1

  • brainpoolP192t1

  • brainpoolP224r1

  • brainpoolP224t1

  • brainpoolP256r1

  • brainpoolP256t1

  • brainpoolP320r1

  • brainpoolP320t1

  • brainpoolP384r1

  • brainpoolP384t1

  • brainpoolP512r1

  • brainpoolP512t1

  • c2pnb163v1

  • c2pnb163v2

  • c2pnb163v3

  • c2pnb176w1

  • c2pnb208w1

  • c2pnb272w1

  • c2pnb304w1

  • c2pnb368w1

  • c2tnb191v1

  • c2tnb191v2

  • c2tnb191v3

  • c2tnb239v1

  • c2tnb239v2

  • c2tnb239v3

  • c2tnb359v1

  • c2tnb431r1

  • FRP256v1

  • K-571

  • K-409

  • K-283

  • K-233

  • K-163

  • P-521

  • P-384

  • P-256

  • P-224

  • P-192

  • prime192v1

  • prime192v2

  • prime192v3

  • prime239v1

  • prime239v2

  • prime239v3

  • prime256v1

  • secp112r1

  • secp112r2

  • secp128r1

  • secp128r2

  • secp160k1

  • secp160r1

  • secp160r2

  • secp192k1

  • secp192r1

  • secp224k1

  • secp224r1

  • secp256k1

  • secp256r1

  • secp384r1

  • secp521r1

  • sect113r1

  • sect113r2

  • sect131r1

  • sect131r2

  • sect163k1

  • sect163r1

  • sect163r2

  • sect193r1

  • sect193r2

  • sect233k1

  • sect233r1

  • sect239k1

  • sect283k1

  • sect283r1

  • sect571r1

  • sm2p256v1

  • wapip192v1

  • Supported as the primary key for enrollment.

  • Supported for CSR generation.

  • Supported for certificate import/synchronization.

  • See also ECDSA OIDs.

  
EdDSA

  • Ed448

  • Ed25519

  • Supported as the primary key for enrollment.

  • Supported for CSR generation.

  • Supported for certificate import/synchronization.

RFC 8032

RFC 8410

ML-DSA

  • ML-DSA-44

  • ML-DSA-65

  • ML-DSA-87

  • Supported as either the primary or secondary key (hybrid certificates) for enrollment.

  • An ML-DSA primary key cannot be used for a hybrid certificate (a certificate with both a primary and alternative key).

  • Supported for CSR generation.

  • Supported for certificate import/synchronization.

 FIPS 204
RSA
  • 1024
  • 2048
  • 3072
  • 4096
  • 6144
  • 8192
  • 16384

  • Supported as the primary key for enrollment.

  • Supported for CSR generation.

  • Supported for certificate import.

  • On certificate import/synchronization, other key sizes are accepted (e.g., 512).

  
SLH-DSA

  • SLH-DSA-SHA2-128f

  • SLH-DSA-SHA2-128s

  • SLH-DSA-SHA2-192f

  • SLH-DSA-SHA2-192s

  • SLH-DSA-SHA2-256f

  • SLH-DSA-SHA2-256s

  • SLH-DSA-SHAKE-128f

  • SLH-DSA-SHAKE-128s

  • SLH-DSA-SHAKE-192f

  • SLH-DSA-SHAKE-192s

  • SLH-DSA-SHAKE-256f

  • SLH-DSA-SHAKE-256s

  • Supported as either the primary or secondary key (hybrid certificates) for enrollment.

  • A SLH-DSA primary key cannot be used for a hybrid certificate (a certificate with both a primary and alternative key).

  • Supported for CSR generation.

  • Supported for certificate import/synchronization.

 FIPS 205
ECDSA OIDs

Table 5: ECDSA OIDs

Name OID
B-571 1.3.132.0.39
B-409 1.3.132.0.37
B-283 1.3.132.0.17
B-233 1.3.132.0.27
B-163 1.3.132.0.15
brainpoolP160r1 1.3.36.3.3.2.8.1.1.1
brainpoolP160t1 1.3.36.3.3.2.8.1.1.2
brainpoolP192r1 1.3.36.3.3.2.8.1.1.3
brainpoolP192t1 1.3.36.3.3.2.8.1.1.4
brainpoolP224r1 1.3.36.3.3.2.8.1.1.5
brainpoolP224t1 1.3.36.3.3.2.8.1.1.6
brainpoolP256r1 1.3.36.3.3.2.8.1.1.7
brainpoolP256t1 1.3.36.3.3.2.8.1.1.8
brainpoolP320r1 1.3.36.3.3.2.8.1.1.9
brainpoolP320t1 1.3.36.3.3.2.8.1.1.10
brainpoolP384r1 1.3.36.3.3.2.8.1.1.11
brainpoolP384t1 1.3.36.3.3.2.8.1.1.12
brainpoolP512r1 1.3.36.3.3.2.8.1.1.13
brainpoolP512t1 1.3.36.3.3.2.8.1.1.14
c2pnb163v1 1.2.840.10045.3.0.1
c2pnb163v2 1.2.840.10045.3.0.2
c2pnb163v3 1.2.840.10045.3.0.3
c2pnb176w1 1.2.840.10045.3.0.4
c2pnb208w1 1.2.840.10045.3.0.10
c2pnb272w1 1.2.840.10045.3.0.16
c2pnb304w1 1.2.840.10045.3.0.17
c2pnb368w1 1.2.840.10045.3.0.19
c2tnb191v1 1.2.840.10045.3.0.5
c2tnb191v2 1.2.840.10045.3.0.6
c2tnb191v3 1.2.840.10045.3.0.7
c2tnb239v1 1.2.840.10045.3.0.11
c2tnb239v2 1.2.840.10045.3.0.12
c2tnb239v3 1.2.840.10045.3.0.13
c2tnb359v1 1.2.840.10045.3.0.18
c2tnb431r1 1.2.840.10045.3.0.20
FRP256v1 1.2.250.1.223.101.256.1
K-571 1.3.132.0.38
K-409 1.3.132.0.36
K-283 1.3.132.0.16
K-233 1.3.132.0.26
K-163 1.3.132.0.1
P-521 1.3.132.0.35
P-384 1.3.132.0.34
P-256 1.2.840.10045.3.1.7
P-224 1.3.132.0.33
P-192 1.2.840.10045.3.1.1
prime192v1 1.2.840.10045.3.1.1
prime192v2 1.2.840.10045.3.1.2
prime192v3 1.2.840.10045.3.1.3
prime239v1 1.2.840.10045.3.1.4
prime239v2 1.2.840.10045.3.1.5
prime239v3 1.2.840.10045.3.1.6
prime256v1 1.2.840.10045.3.1.7
secp112r1 1.3.132.0.6
secp112r2 1.3.132.0.7
secp128r1 1.3.132.0.28
secp128r2 1.3.132.0.29
secp160k1 1.3.132.0.9
secp160r1 1.3.132.0.8
secp160r2 1.3.132.0.30
secp192k1 1.3.132.0.31
secp192r1 1.2.840.10045.3.1.1
secp224k1 1.3.132.0.32
secp224r1 1.3.132.0.33
secp256k1 1.3.132.0.10
secp256r1 1.2.840.10045.3.1.7
secp384r1 1.3.132.0.34
secp521r1 1.3.132.0.35
sect113r1 1.3.132.0.4
sect113r2 1.3.132.0.5
sect131r1 1.3.132.0.22
sect131r2 1.3.132.0.23
sect163k1 1.3.132.0.1
sect163r1 1.3.132.0.2
sect163r2 1.3.132.0.15
sect193r1 1.3.132.0.24
sect193r2 1.3.132.0.25
sect233k1 1.3.132.0.26
sect233r1 1.3.132.0.27
sect239k1 1.3.132.0.3
sect283k1 1.3.132.0.16
sect283r1 1.3.132.0.17
sect571r1 1.3.132.0.39
sm2p256v1 1.2.156.10197.1.301
wapip192v1 1.2.156.10197.1.301.101
Certificate Enrollment Protocols

For specific features supported in each protocol, see the detailed documentation.

Table 6: Certificate Enrollment Protocols

Protocol/Interface Notes External Reference Documentation
Automatic Certificate Management Environment (ACME)

  • Supports issuance, renewal, and revocation of certificates.

  • Compatible with a wide variety of ACME clients; tested with and instructions provided for use with Certbot and cert-manager

  • Supports well-known challenge types DNS-01 and HTTP-01

 RFC 8555 Keyfactor ACME Documentation
Simple Certificate Enrollment Protocol (SCEP)

  • Supports certificate enrollment

  • Supports SCEP infrastructure certificate renewal

 SCEP draft 23 Keyfactor SCEP Documentation
Microsoft Active Directory AutoEnrollment Integration

  • Supports auto-enrollment for certificates

   The Keyfactor Cloud Gateway supports AD AutoEnrollment (see Cloud Gateway).
Privileged Access Management and Hardware Security Modules

Keyfactor Command is vendor-neutral and interoperates with a wide range of PAMClosed PAM (Privileged Access Management): Controls privileged access by vaulting credentials, enforcing least-privilege/just-in-time access, rotating secrets, and auditing sessions. Across Keyfactor products, PAM protects diverse sensitive operations and secrets—for example certificate stores and CA credentials—via built-in or third-party providers; external integrations are delivered as custom PAM extensions (several published on Keyfactor’s public GitHub). solutions and HSMs through standards-based interfaces. The solutions and models listed below have been explicitly tested and validated by Keyfactor.

Table 7: Privileged Access Management and Hardware Security Modules

Vendor/Model Use Cases Documentation
Fortanix Data Security Manager (DSM) Application-level encryption of Keyfactor Command secrets. Fortanix HSM
Keyfactor Command Local

Used to secure credentials for, among others:

  • Certificate authorities

  • Certificate stores

  • Identity providers

  • SMTP

  • Workflow

 Privileged Access Management (PAM)
CyberArk Credential Provider

Used to secure credentials for, among others:

  • Certificate authorities

  • Certificate stores

  • Identity providers

  • SMTP

  • Workflow
Delinea Secret Server (formerly Thycotic)

Used to secure credentials for, among others:

  • Certificate authorities

  • Certificate stores

  • Identity providers

  • SMTP

  • Workflow
Hashicorp Vault

Used to secure credentials for, among others:

  • Certificate authorities

  • Certificate stores

  • Identity providers

  • SMTP

  • Workflow
Google Cloud Secret Manager

Used to secure credentials for, among others:

  • Certificate authorities

  • Certificate stores

  • Identity providers

  • SMTP

  • Workflow