Defaults |
An array of objects containing the system-wide enrollment pattern default settings. These apply to all enrollments that are not otherwise overridden by individual enrollment pattern settings, including those that do not use an enrollment pattern (e.g. from a standalone CA). Show enrollment pattern default details.
Subject Part |
A string indicating the portion of the subject the default applies to (e.g. L for City/Locality).
Use the GET /EnrollmentPatterns/SubjectParts method (see GET Enrollment Patterns Subject Parts) to retrieve a list of all the supported subject parts.
|
Value |
A string containing the value to assign as the default for that subject part (e.g. Chicago). |
Note: See also the Subject Format application setting, which takes precedence over enrollment defaults at both the system-wide and enrollment pattern level (see Application Settings: Enrollment Tab) but does not apply to enrollment requests done through the Keyfactor API.
|
Policies |
An object containing the system-wide enrollment pattern policy settings. These apply to all enrollments that are not otherwise overridden by individual enrollment pattern settings, including those that do not use an enrollment pattern (e.g. from a standalone CA). Show enrollment pattern policy details.
Allow Key Reuse |
A Boolean that indicates whether private key reuse is allowed (true) or not (false). This option applies to certificate renewals. |
Allow Wildcards |
A Boolean that indicates whether wildcards are allowed (true) or not (false). |
RFC Enforcement |
A Boolean that indicates whether RFC 2818 compliance enforcement is enabled (true) or not (false). When this option is set to true, certificate enrollments made through Keyfactor Command for this enrollment pattern must include at least one DNS SAN. In the Keyfactor CommandManagement Portal, this causes the following behavior:
-
PFX Enrollment: The CN entered in PFX enrollment is automatically replicated as a DNS SAN, which the user does not see and cannot change.
-
CSR Enrollment: For CSR enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate. The user enrolling does not see this and cannot change it.
-
CSR Generation: The CN entered in CSR generation will be automatically replicated as a DNS SAN and set to read only.
The default is true.
|
Certificate Owner Role |
An integer indicating the certificate owner role setting. The supported values are:
-
0 - Optional
-
1 - Required
-
2 - Hidden
Required is enforced for PFX and CSR enrollment in both the Management Portal and Keyfactor API. Hidden applies to PFX and CSR enrollment in the Management Portal.
|
Default Certificate Owner Override |
A Boolean that indicates whether the default certificate owner name from the system-wide policy should be overridden with a locally-configured value for the enrollment pattern (true) or not (false).
|
Default Certificate Owner Role Id |
An integer indicating the Keyfactor Command reference ID of the security role assigned as the default certificate owner for certificates enrolled or imported via synchronization or scanning.
|
Default Certificate Owner Role Name |
A string indicating the name of the security role assigned as the default certificate owner for certificates enrolled or imported via synchronization or scanning. |
KeyInfo |
An object containing the supported key types along with the bit lengths and/or curves for the key types as appropriate.
Important: The KeyInfo parameter has been deprecated. It is retained for backwards compatibility, but all new development should use the PrimaryKeyAlgorithms and AlternativeKeyAlgorithms parameters.
Show key info details.
ECDSA |
An object containing the name of the key type and two arrays:
- name: A string indicating the name of the key type.
- bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command.
- curves: An array of strings indicating the elliptic curve algorithms that are supported for enrollment through Keyfactor Command.
|
RSA |
An object containing the name of the key type and two arrays:
- name: A string indicating the name of the key type.
- bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command.
- curves: There are no curves for this type of key.
|
Ed448 |
An object containing the name of the key type and two arrays:
- name: A string indicating the name of the key type.
- bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command.
- curves: There are no curves for this type of key.
|
Ed25519 |
An object containing the name of the key type and two arrays:
- name: A string indicating the name of the key type.
- bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command.
- curves: There are no curves for this type of key.
|
MLDSA44 |
An object containing the name of the key type and two arrays:
- name: A string indicating the name of the key type.
- bit_lengths: There are no key size choices for this type of key.
- curves: There are no curves for this type of key.
|
MLDSA65 |
An object containing the name of the key type and two arrays:
- name: A string indicating the name of the key type.
- bit_lengths: There are no key size choices for this type of key.
- curves: There are no curves for this type of key.
|
MLDSA87 |
An object containing the name of the key type and two arrays:
- name: A string indicating the name of the key type.
- bit_lengths: There are no key size choices for this type of key.
- curves: There are no curves for this type of key.
|
|
PrimaryKeyAlgorithms |
An array of objects containing the supported primary key algorithms for the enrollment pattern as defined in the specific enrollment pattern policy, including the bit lengths and/or curves as appropriate. Show primary key algorithm details.name | A string indicating the name of the key algorithm. The supported key algorithm names are: ECDSA RSA Ed448 Ed25519 ML-DSA-44 ML-DSA-65 ML-DSA-87
| bit_lengths | An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. For RSA, Keyfactor Command supports key sizes 2048, 3072, 4096, 6144, 8192, and 16384. | curves | An array of strings indicating the elliptic curve algorithms that are supported for enrollment through Keyfactor Command, if applicable. ECC curves may be specified using the well-known OIDs for ECC algorithms or by friendly name. Well-known OIDs include: 1.2.840.10045.3.1.7 = P-256/ prime256v1/ secp256r1 1.3.132.0.34 = P-384/secp384r1 1.3.132.0.35 = P-521/secp521r1
When specifying by friendly name, do not include a slash (use “P-256” or “secp256r1”, not “P-256/prime256v1/secp256r1”). |
|
AlternativeKeyAlgorithms |
An array of objects containing the supported alternative key algorithms for the template as reported by the CA including the bit lengths and/or curves as appropriate. Show alternative key algorithm details.name | A string indicating the name of the key algorithm. The supported key algorithm names are: ECDSA RSA Ed448 Ed25519 ML-DSA-44 ML-DSA-65 ML-DSA-87
| bit_lengths | An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. For RSA, Keyfactor Command supports key sizes 2048, 3072, 4096, 6144, 8192, and 16384. | curves | An array of strings indicating the elliptic curve algorithms that are supported for enrollment through Keyfactor Command, if applicable. ECC curves may be specified using the well-known OIDs for ECC algorithms or by friendly name. Well-known OIDs include: 1.2.840.10045.3.1.7 = P-256/ prime256v1/ secp256r1 1.3.132.0.34 = P-384/secp384r1 1.3.132.0.35 = P-521/secp521r1
When specifying by friendly name, do not include a slash (use “P-256” or “secp256r1”, not “P-256/prime256v1/secp256r1”). |
|
|
Regexes |
An array of objects containing the system-wide enrollment pattern regular expression settings. These apply to all enrollments that are not otherwise overridden by enrollment pattern settings, including those that do not use an enrollment pattern (e.g. from a standalone CA). Show regular expression settings.
Subject Part |
A string indicating the portion of the subject the regular expression applies to (e.g. CN). |
RegEx |
A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment pages of the Keyfactor Command Management Portal or using an API enrollment method will be validated.
Use the GET /EnrollmentPatterns/SubjectParts method (see GET Enrollment Patterns Subject Parts) to retrieve a list of all the supported subject parts.
Show regular expression examples.
CN (Common Name) |
This regular expression specifies that the data entered in the field must consist of 1 to 63 characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, periods, and/or hyphens (but not at the beginning or end of sections or duplicated) followed by exactly .keyexample.com:
Copy
^(?!-)(?!.*--)[A-Za-z0-9-]{1,63}(?<!-)(\.[A-Za-z0-9-]{1,63})*\.keyexample\.com$
The default value for the Common Name regular expression is:
This requires entry of at least one character in the Common Name field in the enrollment pages.
|
O (Organization) |
This regular expression requires that the organization name entered in the field be one of “Key Example Inc”, “Key Example” or “Key Example Inc.”:
Copy
^(?:Key Example Inc|Key Example|Key Example, Inc\.)$
The period in the final company name (Key Example, Inc.) needs to be escaped in the regular expression with a slash ("\") but the comma does not.
|
OU (Organization Unit) |
This regular expression requires that the organizational unit entered in the field be one of these four departments:
Copy
^(?:IT|HR|Accounting|E-Commerce)$
|
L (City/ Locality) |
This regular expression requires that the city entered in the field be one of these five cities:
Copy
^(?:Boston|Chicago|New York|London|Dallas)$
|
ST (State/ Province) |
This regular expression requires that the state entered in the field be one of these eight states:
Copy
^(?:Massachusetts|Illinois|New York|Ontario|Texas)$
|
C (Country) |
This regular expression requires that the country entered in the field be either US or CA:
|
E (Email) |
This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, periods, underscores, percent signs, apostrophes, plus signs, and/or hyphens followed by exactly “@keyexample.com”:
Copy
^[A-Za-z0-9._%'+-]+@keyexample\.com$
|
DNS (Subject Alternative Name: DNS Name) |
This regular expression specifies that the data entered in the field must consist of 1 to 63 characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, periods, and/or hyphens (but not at the beginning or end of sections or duplicated) followed by exactly either “.keyexample1.com” or “.keyexample2.com”:
Copy
^(?!-)(?!.*--)[A-Za-z0-9-]{1,63}(?<!-)(\.[A-Za-z0-9-]{1,63})*\.(keyexample\.com|keyexample2\.com)$
|
IPv4 (Subject Alternative Name: IPv4 Address) |
This regular expression specifies that the data entered in the field must be exactly “130.101.” followed by a value between 0 and 255, followed by “.”, followed a value between 0 and 255:
Copy
^130\.101\.(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$
This regular expression specifies only that the IPv4 address is made up of 4 sets of values between 0 and 255 separated by periods:
Copy
^(?:[0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.(?:[0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.(?:[0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.(?:[0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$
|
IPv6 (Subject Alternative Name: IPv6 Address) |
This regular expression specifies that the data entered in the field must be made up of up to eight sets of between one and four numbers and/or uppercase letters separated by colons:
Copy
^([A-F0-9]{1,4}:){1,7}([A-F0-9]{1,4})?(\:\:([A-F0-9]{1,4}:){0,6}[A-F0-9]{1,4})?$
This regular expression optionally matches a shorthand “::” that can replace one or more groups of zero segments, allowing the address to use shorthand notation.
|
MAIL (Subject Alternative Name: Email) |
This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, periods, underscores, percent signs, apostrophes, plus signs, and/or hyphens followed by exactly “@keyexample.com”:
Copy
^[A-Za-z0-9._%'+-]+@keyexample\.com$
|
UPN (Subject Alternative Name: User Principal Name) |
This regular expression specifies that the data entered in the field must consist of between 1 and 64 characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, spaces, and/or hyphens followed by exactly “@keyexample.com”:
Copy
^[A-Za-z0-9'_ -]{1,64}@keyexample\.com$
|
|
Error |
A string specifying the error message displayed to the user when the subject part referenced in the CSR or entered for a PFX enrollment does not match the given regular expression.
Note: The error message already includes a leading string with the subject part (e.g. “Common Name:” or “Invalid CN provided:” depending on the interface used). Your custom message follows this.
|
CaseSensitive |
A Boolean that sets the validation for the field to be case-sensitive (true) or not (false). If the subject part does not match the expected case, the value specified by the Error parameter will display. If the CaseSensitive option is disabled, even if the regular expression contains requirements to enforce case, the case requirement will not be enforced. |
|