The Keyfactor Command Service runs several automated tasks for maintenance, alerting, reporting and similar purpose. The below table provides details of these tasks. The schedules for some tasks are customizable.
Automated Tasks
Table 76: Keyfactor Command Jobs Services
|
Service |
Description |
Notes |
|---|---|---|
| Agent Notification Alert | Periodically runs a job that checks if an orchestrator has not checked in between job runs and sends an email notification as per settings in Application Settings: Agents Tab. | This is configurable in application settings (see Application Settings: Agents Tab). |
| Actioned Certificates | Periodically calculate certificates that should be considered actioned certificates. | This job runs daily at 2:00 UTC. |
| Bulk Audit Processing | Periodically add audit log entries for large jobs. Most audit log entries are added immediately at the time the activity generating the audit log takes place. However, some large jobs that might generate heavy server load (e.g., bulk revocation) save the audit log entries in a temporary location to reduce server load and then they are added to the audit log by this periodic job. | This job runs every 10 minutes. |
| CA Health | Periodically send email alerts when a CA is not responding. | The schedule for this is user configurable (see Alert Recipients Tab). |
| CA Sync | Periodically synchronize certificates from certificate authorities. | The schedules for this are user configurable (see Alert Recipients Tab). |
| CATemplate Cache |
Periodically retrieve certificate templates from CAs configured for enrollment (with the setting Use for Enrollment enabled) and store the data in a cache in the database to reduce queries to the CA during enrollment requests. The cache lifetime is configurable using the CA Template Cache Expiration (minutes) application setting (see Application Settings: Enrollment Tab). Important: Turning off this job will cause enrollment to be unavailable once the cache expires.
|
This job runs every 5 minutes. |
| CA Threshold | Periodically send email alerts when a CA is issuing certificates or experiencing issuance failures outside of the established norms. | The schedule for this is user configurable (seeAlert Recipients Tab). |
| Certificate Cleanup | Periodically remove expired certificates from the Keyfactor Command database. |
This job runs daily at 1:00 UTC. Some settings for this job are configurable in application settings (see Application Settings: Console Tab). For more information, see Certificate Cleanup. |
| Certificate Store Workflows | Periodically update the Keyfactor Command database cache of certificates entering or leaving a certificate store for use by the Certificate Entered Store and Certificate Left Store workflow types. | This job runs every 10 minutes (see Workflow Definitions). |
| Certificate Query Alert | Periodically process workflows for any certificates found in the database cache (see QueryItems) of certificates entering or leaving a certificate collection for use by the Certificate Entered Collection and Certificate Left Collection workflow types. | This job runs every 10 minutes. |
| CRL | Periodically send email alerts for certificate revocation lists (CRLs) that are approaching expiration using the legacy alerting system. | The schedule for this is user configurable (see Adding or Modifying a Revocation Monitoring Location). |
| Collection Query Alerts | Periodically update the temporary tables that store information on which certificates are in which certificate collections. These temporary tables (caches) are used to support faster processing of some systems. | This value is user configurable with an application setting (see Application Settings: Console Tab). The default is 20 minutes. |
| Endpoint History | Periodically remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion, based on the setting in Application Settings: Auditing Tab(SSL > Retain SSL Endpoint History (days)). | This job runs daily at 1:00 UTC. |
| Expiration Alerts |
Periodically send email alerts for certificates approaching expiration using the legacy alerting system. |
The schedules for these are user configurable. See Expiration Alert Operations. |
| Expiration Workflows | Periodically execute any Expiration workflows. | This job runs every 10 minutes. |
| Issued Alerts | Periodically send email alerts (typically to certificate requesters) for certificate requests made using a certificate template that requires manager approval that have been approved using the legacy alerting system. | The schedule for this is user configurable (see Configuring an Issued Request Alert Schedule). |
| Key Rotation Workflows | Periodically execute any Key Rotation workflows. | This job runs every 10 minutes. |
| Metadata Generation | Periodically generate and assign metadata to certificates when they are imported into Keyfactor Command using a custom metadata extension. | This job runs every 15 minutes. |
| Pending Alerts |
Periodically send email alerts (typically to certificate approvers) for certificate requests made using a certificate template that requires manager approval using the legacy alerting system. |
The schedules for these are user configurable. See Configuring a Pending Request Alert Schedule. |
| Private Key Cleanup | Periodically remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion. |
This job runs daily at 1:00 UTC. For more information about stored private keys, see Certificate Details - Status Tab. |
| Purge Audit History | Periodically remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion. Retention period default value is 52 weeks, only applied to new databases (changed from 7 years). Records are deleted in batches, the default value is 10k. |
This job runs on the first day of the month at 2:00 UTC. For more information, and to change defaults, see Application Settings: Auditing Tab. Only audit logs belonging to unprotected categories are eligible for deletion. |
| Query Items | Periodically update the Keyfactor Command database cache of certificates entering or leaving a certificate collection for use by the Certificate Entered Collection and Certificate Left Collection workflow types. | This job runs every 10 minutes (see Workflow Definitions). |
| Reporting | Deliver regularly scheduled reports via email or saved to a file system. | The schedules for these are user configurable (see Reports). |
| Reporting Cleanup | Periodically remove records from temporary files generated while running reports. | This job runs daily at 00:00 UTC. |
| Revocation Monitoring Workflows | Periodically execute any Revocation Monitoring workflows. | This job runs every 10 minutes. |
| Schedule SSL Jobs |
Periodically identify and schedule SSL discovery and monitoring jobs. |
This job runs every 5 minutes. |
| SSH Key Rotation Alerts | Periodically send email notifications to SSH key users and/or administrators when a key is nearing the end of the key lifetime using the legacy alerting system. | The schedule for this is user configurable (see Configuring a Key Rotation Alert Schedule). |
| Stats Update | Periodically run the Microsoft SQL update statistics function in the Keyfactor Command database. |
This job runs monthly on the first day of the month at 1:00 UTC. |
| Suspended Workflows | Periodically attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts. A locking conflict may occur if two users attempt to provide input to a workflow instance (e.g., approve a request) at exactly the same time. | This job runs daily at 00:00 UTC. |
| Sync Templates | Periodically synchronize certificate templates from the source (e.g., Active Directory) to pick up new templates. | This job runs every hour. |
| Undecryptable Secrets Search | Periodically scan the database for any secrets that cannot be decrypted. If any are found, an error is logged to the orchestrator logs that indicate how many secrets were undecryptable. A Management Portal alert (see System Alerts) will also be triggered flagging the issue. |
This job runs daily at 00:00 UTC. |
| Workflow Cleanup | Periodically remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged X number of days past the completion date (last modified date), where X is defined by the Workflow Instance Cleanup Days application setting (see Application Settings: Console Tab). The default is 14 days. | This job runs daily at 00:00 UTC. |
Certificate Cleanup
The Certificate Cleanup Task runs daily at 1:00 UTC and removes expired certificates from the database based on configured cleanup settings. Cleanup eligibility can be defined at the system-wide, template
A certificate template defines the policies and rules that a CA uses when a request for a certificate is received., or CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. level.
When a certificate is removed by the cleanup task, it is excluded from subsequent standard CA synchronization unless cleanup is later turned off for that scope. CA synchronization tasks reference the cleanup settings to determine whether a certificate is eligible for removal and whether it should be excluded from import.
First Execution
When certificate cleanup is activated for the first time, the task evaluates all existing certificates that meet the configured cleanup criteria. As a result, the initial execution may take longer than subsequent daily runs.
To limit the scope of the first execution, you can configure cleanup at the template or CA level before applying it globally. This approach allows you to stage cleanup in controlled increments.
Processing Behavior
During execution, the cleanup task processes certificates according to scope. System-wide cleanup settings are evaluated first, followed by template-level settings, and then CA-level settings.
Certificates are deleted in batches of up to 1,000 records per cycle. Batch processing helps manage processing volume during execution and supports predictable task completion.
Certificates stored in the database are not removed by the cleanup task if they are associated with a certificate store or were imported through an SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scan.
Logging and Auditing
The cleanup task writes informational log entries when execution begins and when processing completes. In environments where many certificates are eligible for removal, additional log entries may appear as batches are processed.
For example (including a debug level message):
2026-02-26 10:00:01.1941 2ADABE80-9B8F-4F43-B48C-16536FA22F11 CSS.CMS.Service.Jobs.Maintenance.Tasks.CertificateCleanup [Info] - Beginning 'CertificateCleanup' execution.
2026-02-26 10:00:01.2124 2ADABE80-9B8F-4F43-B48C-16536FA22F11 CSS.CMS.Service.Jobs.Maintenance.Tasks.CertificateCleanup [Debug] - Context:
JobExecutionContext: trigger: 'DEFAULT.CertificateCleanup' job: 'DEFAULT.CertificateCleanup' fireTimeUtc: 'Thu, 26 Feb 2026 01:00:00 GMT' scheduledFireTimeUtc: 'Thu, 26 Feb 2026 01:00:00 GMT' previousFireTimeUtc: 'Wed, 25 Feb 2026 01:00:00 GMT' nextFireTimeUtc: 'Fri, 27 Feb 2026 01:00:00 GMT' recovering: False refireCount: 0
2026-02-26 10:00:01.2124 2ADABE80-9B8F-4F43-B48C-16536FA22F11 CSS.CMS.Service.Jobs.Maintenance.Tasks.CertificateCleanup [Info] - Beginning certificate cleanup at 2/26/2026 10:00:01 AM.All log messages generated during a single cleanup execution share the same correlation ID. This identifier can be used to trace all log messages associated with a specific execution of the task.
Additional execution detail is available when Debug or Trace logging levels are enabled for the service. At these levels, log entries may include batch discovery, deletion counts, SQL interactions, and reasons certificates are skipped.
For example:
2026-02-26 10:00:01.3354 2ADABE80-9B8F-4F43-B48C-16536FA22F11 CSS.CMS.Service.Jobs.Maintenance.Tasks.CertificateCleanup [Debug] - Beginning cleanup of certificates associated with templates.
2026-02-26 10:00:01.3354 2ADABE80-9B8F-4F43-B48C-16536FA22F11 CSS.CMS.Service.Jobs.Maintenance.Tasks.CertificateCleanup [Trace] - Cleaning up certificates associated with template 58 that expired more than 12 Months ago.
2026-02-26 10:00:01.6950 2ADABE80-9B8F-4F43-B48C-16536FA22F11 CSS.CMS.Service.Jobs.Maintenance.Tasks.CertificateCleanup [Trace] - Found batch of 726 certificates to delete.
2026-02-26 10:00:02.8047 2ADABE80-9B8F-4F43-B48C-16536FA22F11 Keyfactor.Command.Sql.DataStores.CertificateDataStore [Debug] - deleted 726 certificates
2026-02-26 10:00:35.8333 2ADABE80-9B8F-4F43-B48C-16536FA22F11 CSS.CMS.Service.Jobs.Maintenance.Tasks.CertificateCleanup [Debug] - Skipping cleanup of certificate with ID 2193089 because it is associated with a certificate store or SSL network.Debug and Trace levels can generate a higher volume of log output and are typically used for troubleshooting.
Each certificate deletion performed by the cleanup task generates a corresponding audit log entry.
Was this page helpful? Provide Feedback