Documentation Suite v25.2

Submit Search

PUT Templates

The PUT /Templates method is used to update selected information about a certificate template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.. This method returns HTTP 200 OK on a success with details about the specified template.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/certificate_templates/modify/

Important: Any previously populated fields that are not submitted with their full existing data using this method will be cleared of their existing data. When using this method, you should first do a GET to retrieve all the values for the record you want to update, enter corrected data into the field(s) you want to update, and then submit all the fields using PUT, including the fields that contain values but which you are not changing.

Table 884: PUT Templates Input Parameters

Name In Description

Allow One Click Renewals

Body

A Boolean indicating whether One-Click Renewal will be allowed for certificate renewals requested with this template (true) or not (false).

To use One-Click Renewal for certificates, the Allow One-Click Renewals option must be enabled in both the certificate templates and CAs to which you want One-Click Renewal to apply (see Certificate Template Operations, HTTPS CAs - Advanced Tab or DCOM CAs - Advanced Tab ). For more information about one-click renewals, see Renew/Reissue.

Allowed Enrollment Types

Body

An integer indicating the type of enrollment allowed for the certificate template.

Note: This parameter is considered deprecated and may be removed in a future release.

These values are populated based on configurations made for the default enrollment policy. Show allowed enrollment type details.

Value	Description
0	None
1	PFX Enrollment
2	CSR Enrollment
3	CSR Enrollment & PFX Enrollment
4	CSR Generation
5	CSR Generation & PFX Enrollment
6	CSR Generation & CSR Enrollment
7	CSR Enrollment, PFX Enrollment & CSR Generation

Allowed Requesters

Body

An array of strings containing the list of Keyfactor Command security roles—as strings—that have been granted enroll permission on the template.

The Allowed Requesters list at the template level has been replaced by the Associated Roles list at the enrollment pattern level (see POST Enrollment Patterns) and are populated based on configurations made for the default enrollment policy.

Note: This parameter is considered deprecated and may be removed in a future release.

CertificateCleanupEnabled

Body

A Boolean indicating whether the certificate cleanup job is enabled for the template (true) or not (false). The default is true.

The certificate cleanup task periodically removes expired certificates from the database. Once removed, these certificates will not be re-imported during a standard CA synchronization unless certificate cleanup is later disabled. CA synchronization tasks use the certificate cleanup settings to determine whether a certificate is eligible for cleanup and exclude such certificates from import.

Certificate cleanup settings can be configured at three levels:

Certificate Template Record: If configured, overrides the system-wide settings when processing certificate cleanup tasks for certificates associated with this template. These cleanup tasks are processed first.
Certificate Authority (CA) Record: If configured, overrides the system-wide settings when processing certificate cleanup tasks for certificates associated with this CA but not associated with any template. These cleanup tasks are processed second.
System-Wide: Applies to all certificate authorities and templates in the system. These values are used when processing certificate cleanup tasks for certificates associated with neither a CA nor a template and when no overrides are set at the CA or template level. These cleanup tasks are processed last.

Note: For manually imported certificates without an associated template (e.g., from a standalone CA), system-wide cleanup settings will be applied even if the CA exists in Keyfactor Command. This occurs because Keyfactor Command cannot reliably associate such certificates with the correct CA.

Important: If a certificate with a stored private key is deleted and later restored, the stored private key will not be restored.

Note: The system-wide settings for certificate cleanup are configured in application settings (see Application Settings: Console Tab).

DeleteWithArchiveKey Body A Boolean that sets whether certificates with a private key stored in the system are eligible for removal by the certificate cleanup task.

Enrollment Fields

Body

An object containing custom enrollment fields. This data is configured at the enrollment pattern level (see POST Enrollment Patterns).

Note: This parameter is considered deprecated and may be removed in a future release.

Friendly Name

Body

A string indicating the Keyfactor Command friendly name of the template.

Note: This parameter is considered deprecated and may be removed in a future release.

Id Body Required. An integer indicating the ID of the template in Keyfactor Command.

Key Archival

Body

A Boolean indicating whether the template has been configured with the key archival setting in Active Directory (true) or not (false). This is a reference field and is not configurable.

Key Retention

Body

A string indicating the type of key retention certificates enrolled with this template will use to store their private key in Keyfactor Command. Show key retention details.

Value	Description
None	The private key will not be retained.
Indefinite	The private key will be retained until it is explicitly deleted.
After Expiration	The private key will be retained until the specified number of days after the certificate expires (KeyRetentionDays), at which point it will be scheduled for deletion.
From Issuance	The private key will be retained until the specified number of days after the date on which the certificate was issued (KeyRetentionDays), at which point it will be scheduled for deletion.

Key Retention Days Body An integer indicating the number of days a certificate’s private key will be retained in Keyfactor Command before being scheduled for deletion, if private key retention is enabled.

Key Usage

Body

An integer indicating the total key usage of the certificate. For Microsoft CAs, key usage is stored in Active Directory as a single value made of a combination of values. Show value details.

Value	Function	Description
0	None	No key usage parameters.
1	Encipherment Only	The key can be used for encryption only.
2	CRL Signing	The key can be used to sign a certificate revocation list (CRL).
4	Key Certificate Signing	The key can be used to sign certificates.
8	Key Agreement	The key can be used to determine key agreement, such as a key created using the Diffie-Hellman key agreement algorithm.
16	Data Encipherment	The key can be used for data encryption.
32	Key Encipherment	The key can be used for key encryption.
64	Nonrepudiation	The key can be used for authentication.
128	Digital Signature	The key can be used as a digital signature.
32768	Decipherment Only	The key can be used for decryption only.

For example, a value of 160 would represent a key usage of digital signature with key encipherment. A value of 224 would add nonrepudiation to those.

Metadata Fields

Body

An array of objects containing template-level metadata field settings. For most use cases, this data is configured at the enrollment pattern level (see POST Enrollment Patterns).

Any data submitted in this parameter will be updated to the enrollment pattern marked as the TemplateDefault for the specified template.

Note: The order of precedence for evaluating metadata settings during enrollment is as follows:

Enrollment Pattern:
The enrollment pattern is evaluated first. If a value is set for the metadata field and setting (e.g. enrollment handling), that value is used, and any configuration for the same metadata field and setting at the template and system-wide levels is ignored.
Template:
If the enrollment pattern does not have a value set for the metadata field and setting, the template is evaluated. If the template has a value set, that value is used, and any configuration at the system-wide level is ignored.
System-Wide Settings:
If neither the enrollment pattern nor the template has a value set for the metadata field and setting, the system-wide settings are evaluated. Values configured at this level are used if set.

Show metadata field details.

Name Description

Id An integer indicating the Keyfactor Command reference ID of the template-specific metadata setting.

Default Value A string containing the default value defined for the metadata field for the specific template.

Metadata Id An integer indicating the global metadata field associated with the template-specific settings.

Validation

A string containing the template-specific regular expression against which data entered in a string field will be validated. When a user enters information in a metadata field that does not match the specified regular expression, he or she will see the warning message specified in the Message field. For example:

Copy

^[a-zA-Z0-9'_\.\-]*@(keyexample\.org|keyexample\.com)$

This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly either “@keyexample.org” or “keyexample.com”.

This field is only supported for metadata fields with data type string.

Enrollment

An integer that indicates how metadata fields should be handled on the PFX and CSR Enrollment pages. Possible values are:

Value	Description
0	Optional Users have the option to either enter a value or not enter a value in the field.
1	Required Users are required to enter data in the field when populating metadata fields on the PFX and CSR Enrollment pages. The field is not required on the certificate details or Add Certificate page.
2	Hidden The field is hidden and does not appear on the PFX and CSR Enrollment pages. This field still appears on the certificate details and the Add Certificate page.

Message A string containing a message to present when a user enters information in a metadata field that does not match the template-specific regular expression (Validation field).

For example:

Copy

"MetadataFields": [
   {
      "Id": 4,
      "DefaultValue": "reggie.wallace@keyexample.com",
      "MetadataId": 4,
      "Validation": "^[a-zA-Z0-9'_\\.\\-]*@(keyexample\\.org|keyexample\\.com)$",
      "Enrollment": 1,
      "Message": "Your email address must be of the form user@keyexample.com or fname.lname@keyexample.com."
   },
   {
      "Id": 13,
      "DefaultValue": "E-Business",
      "MetadataId": 5,
      "Validation": "",
      "Enrollment": 0,
      "Message": "",
      "Options": "Accounting,E-Business,Executive,HR,IT,Marketing,R&D,Sales"
   }
]

Requires Approval

Body

A Boolean indicating whether the template has been configured with the Microsoft CA certificate manager approval option enabled (true) or not (false).

Important: Any templates that are configured on the Microsoft CA Issuance Requirements tab for CA certificate manager approval cannot be used for enrollment and associated alerting in Keyfactor Command without configuring private key retention. Any of the enabled private key retention settings (settings other than none as described for KeyRetention) will allow a template requiring manager approval to work with Keyfactor Command PFX and CSR enrollment.

Figure 628: Microsoft Issuance Requirements on a Template for Manager Approval

Template Defaults

Body

An array of objects containing individual template-level template default settings. This data is configured at the enrollment pattern level (see POST Enrollment Patterns) and will be populated based on the default enrollment pattern.

Any data submitted in this parameter will be updated to the enrollment pattern marked as the TemplateDefault for the specified template.

Note: This parameter is considered deprecated and may be removed in a future release.

Show template default details.

Value

Description

SubjectPart

A string indicating the portion of the subject the default applies to (e.g. L for City/Locality).

Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts.

Value

A string containing the value to assign as the default for that subject part (e.g. Chicago).

Template Policy

Body

An object containing the individual template-level template policy settings. This data is configured at the enrollment pattern level (see POST Enrollment Patterns) and will be populated based on the default enrollment pattern.

Any data submitted in this parameter will be updated to the enrollment pattern marked as the TemplateDefault for the specified template.

Note: This parameter is considered deprecated and may be removed in a future release.

Show template policy details.

Value

Description

Template Id

The Keyfactor Command reference ID of the certificate template the policy is associated with.

Allow Key Reuse

A Boolean that indicates whether private key reuse is allowed (true) or not (false). This option applies to certificate renewals. By default, this is set to true at a system-wide level.

Allow Wildcards

A Boolean that indicates whether wildcards are allowed (true) or not (false). By default, this is set to true at a system-wide level.

RFC Enforcement

A Boolean that indicates whether RFC 2818 compliance enforcement is enabled (true) or not (false). When this option is set to true, certificate enrollments made through Keyfactor Command for this template must include at least one DNS SAN. In the Keyfactor CommandManagement Portal, this causes the following behavior:

PFX Enrollment: The CN entered in PFX enrollment is automatically replicated as a DNS SAN, which the user does not see and cannot change.
CSR Enrollment: For CSR enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate. The user enrolling does not see this and cannot change it.
CSR Generation: The CN entered in CSR generation will be automatically replicated as a DNS SAN and set to read only.

Certificate Owner Role

An integer indicating the certificate owner role setting. The supported values are:

0 - Optional
1 - Required
2 - Hidden

Required is enforced for PFX and CSR enrollment in both the Management Portal and Keyfactor API. Hidden applies to PFX and CSR enrollment in the Management Portal.

Default Certificate Owner Role Id

An integer indicating the Keyfactor Command reference ID of the security role assigned as the default certificate owner for certificates enrolled or imported via synchronization or scanning with this template.

Default Certificate Owner Role Name

A string indicating the name of the security role assigned as the default certificate owner for certificates enrolled or imported via synchronization or scanning with this template.

KeyInfo

An object containing the supported key types for the template along with the bit lengths and/or curves for the key types as appropriate The KeyInfo and PrimaryKeyAlgorithms properties are mutually exclusive in requests.

Important: The KeyInfo parameter has been deprecated. It is retained for backwards compatibility, but all new development should use the PrimaryKeyAlgorithms and AlternativeKeyAlgorithms parameters.

Show key info details.

Name	Description
ECDSA	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: An array of strings indicating the elliptic curve algorithms that are supported for enrollment through Keyfactor Command. ECC curves may be specified using the well-known OIDs for ECC algorithms or by friendly name. Well-known OIDs include: 1.2.840.10045.3.1.7 = P-256/ prime256v1/ secp256r1 1.3.132.0.34 = P-384/secp384r1 1.3.132.0.35 = P-521/secp521r1 When specifying by friendly name, do not include a slash (use “P-256”, not “P-256/prime256v1/secp256r1”).
RSA	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key. Keyfactor Command supports key sizes 2048, 3072, 4096, 6144, 8192, and 16384.
Ed448	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.
Ed25519	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.
MLDSA44	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: There are no key size choices for this type of key. curves: There are no curves for this type of key.
MLDSA65	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: There are no key size choices for this type of key. curves: There are no curves for this type of key.
MLDSA87	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: There are no key size choices for this type of key. curves: There are no curves for this type of key.

PrimaryKeyAlgorithms

An array of objects containing the supported primary key algorithms for the template including the bit lengths and/or curves as appropriate. The KeyInfo and PrimaryKeyAlgorithms properties are mutually exclusive in requests.

Show primary key algorithm details.

AlternativeKeyAlgorithms

An array of objects containing the supported alternative key algorithms for the template including the bit lengths and/or curves as appropriate.

Show alternative key algorithm details.

Template Regexes

Body

An array of objects containing individual template-level regular expressions against which to validate the subject data. This data is configured at the enrollment pattern level (see POST Enrollment Patterns) and will be populated based on the default enrollment pattern.

Any data submitted in this parameter will be updated to the enrollment pattern marked as the TemplateDefault for the specified template.

Note: This parameter is considered deprecated and may be removed in a future release.

Show template RegEx details.

Name	Description
Template Id	An integer indicating the Keyfactor Command reference ID of the certificate template the regular expression is associated with.
Subject Part	A string indicating the portion of the subject the regular expression applies to (e.g. CN).
RegEx	A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment pages of the Keyfactor Command Management Portal or using an API enrollment method will be validated. Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts.
Error	A string specifying the error message displayed to the user when the subject part referenced in the CSR or entered for a PFX enrollment does not match the given regular expression. Note: The error message already includes a leading string with the subject part (e.g. “Common Name:” or “Invalid CN provided:” depending on the interface used). Your custom message follows this.

TimeAfterExpiration Body The amount of time after certificate expiration to wait until the certificate is eligible for removal by the certificate cleanup task.

TimeAfterExpirationUnits Body The time unit to apply to the certificate expiration time (TimeAfterExpiration). Options are days, weeks, or months.

Use Allowed Requesters

Body

A Boolean that indicates whether the Restrict Allowed Requesters option should be enabled (true) or not (false).

The Restrict Allowed Requesters option at the template level has been replaced by the Use AD Permissions option at the enrollment pattern level (see POST Enrollment Patterns).

Note: This parameter is considered deprecated and may be removed in a future release.

Table 885: PUT Templates Response Body

Name Description

Allow One Click Renewals

A Boolean indicating whether One-Click Renewal will be allowed for certificate renewals requested with this template (true) or not (false).

Allowed Enrollment Types

An integer indicating the type of enrollment allowed for the certificate template.

Note: This parameter is considered deprecated and may be removed in a future release.

These values are populated based on configurations made for the default enrollment policy. Show allowed enrollment type details.

Value	Description
0	None
1	PFX Enrollment
2	CSR Enrollment
3	CSR Enrollment & PFX Enrollment
4	CSR Generation
5	CSR Generation & PFX Enrollment
6	CSR Generation & CSR Enrollment
7	CSR Enrollment, PFX Enrollment & CSR Generation

Allowed Requesters

An array of strings containing the list of Keyfactor Command security roles—as strings—that have been granted enroll permission on the template.

Note: This parameter is considered deprecated and may be removed in a future release.

CertificateCleanupEnabled

A Boolean indicating whether the certificate cleanup job is enabled for the template (true) or not (false). The default is true.

Certificate cleanup settings can be configured at three levels:

Certificate Template Record: If configured, overrides the system-wide settings when processing certificate cleanup tasks for certificates associated with this template. These cleanup tasks are processed first.
Certificate Authority (CA) Record: If configured, overrides the system-wide settings when processing certificate cleanup tasks for certificates associated with this CA but not associated with any template. These cleanup tasks are processed second.
System-Wide: Applies to all certificate authorities and templates in the system. These values are used when processing certificate cleanup tasks for certificates associated with neither a CA nor a template and when no overrides are set at the CA or template level. These cleanup tasks are processed last.

Note: For manually imported certificates without an associated template (e.g., from a standalone CA), system-wide cleanup settings will be applied even if the CA exists in Keyfactor Command. This occurs because Keyfactor Command cannot reliably associate such certificates with the correct CA.

Important: If a certificate with a stored private key is deleted and later restored, the stored private key will not be restored.

Note: The system-wide settings for certificate cleanup are configured in application settings (see Application Settings: Console Tab).

Common Name A string containing the common name (short name) of the template. This name typically does not contain spaces. For a template created using a Microsoft management tool, this will be the Microsoft template name. For a template generated for an EJBCA CA, this will be built using a naming scheme of <end entity profile name>_<certificate profile name>. This field is populated based on information retrieved from the CA and is not configurable.

Configuration Tenant A string indicating the configuration tenant of the template. For Microsoft templates, this field is populated from Active Directory. For EJBCA templates, this field is populated from the Keyfactor Command CA record. The field is not configurable.

Curve

A string indicating the friendly name of the elliptic curve algorithm configured for the template returned from the CA, for ECC templates. Possible values include:

P-256

1.2.840.10045.3.1.7 = P-256/ prime256v1/ secp256r1
P-384

1.3.132.0.34 = P-384/secp384r1
P-521

1.3.132.0.35 = P-521/secp521r1

If the template supports more than one curve, this field contains the minimum curve value.

DeleteWithArchiveKey A Boolean that sets whether certificates with a private key stored in the system are eligible for removal by the certificate cleanup task.

Display Name A string indicating the Keyfactor Command display name of the template. If a template friendly name is configured, this is used as the display name. If not, the template name is used. The display name appears in the dropdowns for PFX enrollment, CSR enrollment, and CSR generation. The display name is a generated field and is not directly configurable.

Enrollment Fields

An object containing custom enrollment fields. This data is configured at the enrollment pattern level (see POST Enrollment Patterns).

Note: This parameter is considered deprecated and may be removed in a future release.

Extended Key Usages

An array of objects containing the extended key usage information for the template. This field is populated from the CA and is not configurable. Show extended key usage details.

Name	Description
Id	An integer indicating the ID of the extended key usage in Active Directory.
Oid	A string containing the object ID of the extended key usage.
Display Name	A string specifying the display name of the extended key usage (e.g. Server Authentication).

Forest Root

A string indicating the forest root of the template. For Microsoft templates, this field is populated from Active Directory and is not configurable.

Note: The ForestRoot has been replaced by the ConfigurationTenant from release 10, but is retained for backwards compatibility.

Friendly Name

A string indicating the Keyfactor Command friendly name of the template.

Note: This parameter is considered deprecated and may be removed in a future release.

Id An integer indicating the ID of the template in Keyfactor Command.

Key Algorithms

An object containing the primary key algorithms defined for the template as reported by the CA, limited to the key types supported by Keyfactor Command. This information indicates all the algorithms that could possibly be supported when the template is used for enrollment. Enrollment policy within Keyfactor Command might limit this. This is a reference field and is not configurable. Show key algorithm details.

Value

Description

Template Id

An integer indicating the ID of the template in Keyfactor Command.

Key Info

An object containing the supported key types for the template as reported by the CA along with the bit lengths and/or curves for the key types as appropriate.

Show key info details.

Name	Description
ECDSA	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: An array of strings indicating the elliptic curve algorithms that are supported for enrollment through Keyfactor Command.
RSA	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.
Ed448	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.
Ed25519	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.
MLDSA44	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: There are no key size choices for this type of key. curves: There are no curves for this type of key.
MLDSA65	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: There are no key size choices for this type of key. curves: There are no curves for this type of key.
MLDSA87	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: There are no key size choices for this type of key. curves: There are no curves for this type of key.

PrimaryKeyAlgorithms

An array of objects containing the supported primary key algorithms for the template as reported by the CA including the bit lengths and/or curves as appropriate.

Show primary key algorithm details.

AlternativeKeyAlgorithms

An array of objects containing the supported alternative key algorithms for the template as reported by the CA including the bit lengths and/or curves as appropriate.

Show alternative key algorithm details.

Key Archival

A Boolean indicating whether the template has been configured with the key archival setting in Active Directory (true) or not (false). This is a reference field and is not configurable.

Key Retention

A string indicating the type of key retention certificates enrolled with this template will use to store their private key in Keyfactor Command. Show key retention details.

Value	Description
None	The private key will not be retained.
Indefinite	The private key will be retained until it is explicitly deleted.
After Expiration	The private key will be retained until the specified number of days after the certificate expires (KeyRetentionDays), at which point it will be scheduled for deletion.
From Issuance	The private key will be retained until the specified number of days after the date on which the certificate was issued (KeyRetentionDays), at which point it will be scheduled for deletion.

Key Retention Days An integer indicating the number of days a certificate’s private key will be retained in Keyfactor Command before being scheduled for deletion, if private key retention is enabled.

KeySize A string indicating the minimum supported key size of the template as returned by the CA. This value is calculated based on the algorithms provided in the template from the CA (see KeyAlgorithms). The algorithm key types and sizes are evaluated in order (RSA, ECC, Ed448, and Ed25519) and from these, the minimum type and size is determined. For example, if the template supports RSA, Ed448, and Ed25519, the minimum key type will be evaluated to RSA. Then for that algorithm, the minimum key size returned by the CA will be selected (e.g. 2048 if 2048 and 4096 are returned for RSA). See the KeyAlgorithms field for the complete list of supported key sizes and types. The field is not configurable.

KeyType A string indicating the key type of the template as returned by the CA. See details under KeySize. See the KeyAlgorithms field for the complete list of supported key sizes and types. The field is not configurable.

KeyTypes A string containing a comma-delimited list of the key sizes and types supported for the template returned from the CA as they are displayed in the Management Portal templates grid. Possible values include RSA 2048, ECC P-384, Ed25519, and Ed448.

Key Usage

An integer indicating the total key usage of the certificate. For Microsoft CAs, key usage is stored in Active Directory as a single value made of a combination of values. Show value details.

Value	Function	Description
0	None	No key usage parameters.
1	Encipherment Only	The key can be used for encryption only.
2	CRL Signing	The key can be used to sign a certificate revocation list (CRL).
4	Key Certificate Signing	The key can be used to sign certificates.
8	Key Agreement	The key can be used to determine key agreement, such as a key created using the Diffie-Hellman key agreement algorithm.
16	Data Encipherment	The key can be used for data encryption.
32	Key Encipherment	The key can be used for key encryption.
64	Nonrepudiation	The key can be used for authentication.
128	Digital Signature	The key can be used as a digital signature.
32768	Decipherment Only	The key can be used for decryption only.

For example, a value of 160 would represent a key usage of digital signature with key encipherment. A value of 224 would add nonrepudiation to those.

Metadata Fields

An array of objects containing template-level metadata field settings. For most use cases, this data is configured at the enrollment pattern level (see POST Enrollment Patterns).

Note: The order of precedence for evaluating metadata settings during enrollment is as follows:

Enrollment Pattern:
The enrollment pattern is evaluated first. If a value is set for the metadata field and setting (e.g. enrollment handling), that value is used, and any configuration for the same metadata field and setting at the template and system-wide levels is ignored.
Template:
If the enrollment pattern does not have a value set for the metadata field and setting, the template is evaluated. If the template has a value set, that value is used, and any configuration at the system-wide level is ignored.
System-Wide Settings:
If neither the enrollment pattern nor the template has a value set for the metadata field and setting, the system-wide settings are evaluated. Values configured at this level are used if set.

Show metadata field details.

Name Description

Id An integer indicating the Keyfactor Command reference ID of the template-specific metadata setting.

Default Value A string containing the default value defined for the metadata field for the specific template.

Metadata Id An integer indicating the global metadata field associated with the template-specific settings.

Validation

Copy

^[a-zA-Z0-9'_\.\-]*@(keyexample\.org|keyexample\.com)$

This field is only supported for metadata fields with data type string.

Enrollment

An integer that indicates how metadata fields should be handled on the PFX and CSR Enrollment pages. Possible values are:

Value	Description
0	Optional Users have the option to either enter a value or not enter a value in the field.
1	Required Users are required to enter data in the field when populating metadata fields on the PFX and CSR Enrollment pages. The field is not required on the certificate details or Add Certificate page.
2	Hidden The field is hidden and does not appear on the PFX and CSR Enrollment pages. This field still appears on the certificate details and the Add Certificate page.

Message A string containing a message to present when a user enters information in a metadata field that does not match the template-specific regular expression (Validation field).

Oid A string containing the object ID of the template. For Microsoft templates, this field is populated from Active Directory. For EJBCA templates, this field is generated within Keyfactor Command as an object identifier, but does not follow official OID conventions. The field is not configurable.

Requires Approval

A Boolean indicating whether the template has been configured with the Microsoft CA certificate manager approval option enabled (true) or not (false).

Figure 629: Microsoft Issuance Requirements on a Template for Manager Approval

RFC Enforcement

A Boolean indicating whether RFC 2818 compliance enforcement is enabled (true) or not (false). This setting is configured at the enrollment pattern level (see POST Enrollment Patterns) and will be populated based on the default enrollment pattern.

Note: This parameter is considered deprecated and may be removed in a future release.

Template Defaults

Note: This parameter is considered deprecated and may be removed in a future release.

Show template default details.

Value

Description

SubjectPart

A string indicating the portion of the subject the default applies to (e.g. L for City/Locality).

Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts.

Value

A string containing the value to assign as the default for that subject part (e.g. Chicago).

Template Name A string containing the name of the template. For a template created using a Microsoft management tool, this will be the Microsoft template display name. For a template generated for an EJBCA CA, this will be built using a naming scheme of <end entity profile name> (<certificate profile name>). This field is populated based on information retrieved from the CA and is not configurable.

Template Policy

Note: This parameter is considered deprecated and may be removed in a future release.

Show template policy details.

Value

Description

Template Id

The Keyfactor Command reference ID of the certificate template the policy is associated with.

Allow Key Reuse

A Boolean that indicates whether private key reuse is allowed (true) or not (false). This option applies to certificate renewals. By default, this is set to true at a system-wide level.

Allow Wildcards

A Boolean that indicates whether wildcards are allowed (true) or not (false). By default, this is set to true at a system-wide level.

RFC Enforcement

PFX Enrollment: The CN entered in PFX enrollment is automatically replicated as a DNS SAN, which the user does not see and cannot change.
CSR Enrollment: For CSR enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate. The user enrolling does not see this and cannot change it.
CSR Generation: The CN entered in CSR generation will be automatically replicated as a DNS SAN and set to read only.

Certificate Owner Role

An integer indicating the certificate owner role setting. The supported values are:

0 - Optional
1 - Required
2 - Hidden

Required is enforced for PFX and CSR enrollment in both the Management Portal and Keyfactor API. Hidden applies to PFX and CSR enrollment in the Management Portal.

Default Certificate Owner Role Id

Default Certificate Owner Role Name

A string indicating the name of the security role assigned as the default certificate owner for certificates enrolled or imported via synchronization or scanning with this template.

KeyInfo

An object containing the supported key types for the template along with the bit lengths and/or curves for the key types as appropriate

Show key info details.

Name	Description
ECDSA	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: An array of strings indicating the elliptic curve algorithms that are supported for enrollment through Keyfactor Command.
RSA	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.
Ed448	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.
Ed25519	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.
MLDSA44	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: There are no key size choices for this type of key. curves: There are no curves for this type of key.
MLDSA65	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: There are no key size choices for this type of key. curves: There are no curves for this type of key.
MLDSA87	An object containing the name of the key type and two arrays: name: A string indicating the name of the key type. bit_lengths: There are no key size choices for this type of key. curves: There are no curves for this type of key.

PrimaryKeyAlgorithms

An array of objects containing the supported primary key algorithms for the template including the bit lengths and/or curves as appropriate.

Show primary key algorithm details.

AlternativeKeyAlgorithms

An array of objects containing the supported alternative key algorithms for the template including the bit lengths and/or curves as appropriate.

Show alternative key algorithm details.

Template Regexes

Note: This parameter is considered deprecated and may be removed in a future release.

Show template RegEx details.

Name	Description
Template Id	An integer indicating the Keyfactor Command reference ID of the certificate template the regular expression is associated with.
Subject Part	A string indicating the portion of the subject the regular expression applies to (e.g. CN).
RegEx	A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment pages of the Keyfactor Command Management Portal or using an API enrollment method will be validated. Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts.
Error	A string specifying the error message displayed to the user when the subject part referenced in the CSR or entered for a PFX enrollment does not match the given regular expression. Note: The error message already includes a leading string with the subject part (e.g. “Common Name:” or “Invalid CN provided:” depending on the interface used). Your custom message follows this.

TimeAfterExpiration The amount of time after certificate expiration to wait until the certificate is eligible for removal by the certificate cleanup task.

TimeAfterExpirationUnits The time unit to apply to the certificate expiration time (TimeAfterExpiration). Options are days, weeks, or months.

Use Allowed Requesters

A Boolean that indicates whether the Restrict Allowed Requesters option should be enabled (true) or not (false).

The Restrict Allowed Requesters option at the template level has been replaced by the Use AD Permissions option at the enrollment pattern level (see POST Enrollment Patterns).

Note: This parameter is considered deprecated and may be removed in a future release.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Was this page helpful? Provide Feedback

Version v25.2

On this page: