PUT Templates

The PUT /Templates method is used to update selected information about a certificate templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.. This method returns HTTP 200 OK on a success with details about the specified template.

Tip:  The following permissions (see Security Overview) are required to use this feature:

PkiManagement: Modify

Warning:  Any previously populated fields that are not submitted with their full existing data using this method will be cleared of their existing data. When using this method, you should first do a GET to retrieve all the values for the record you want to update, enter corrected data into the field(s) you want to update, and then submit all the fields using PUT, including the fields that contain values but which you are not changing.

Table 617: PUT Templates Input Parameters

Name In Description
Id Body Required. An integer indicating the ID of the template in Keyfactor Command.
KeySize Body A string indicating the minimum supported key sizeClosed The key size or key length is the number of bits in a key used by a cryptographic algorithm. of the template as defined by the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA.. The field is not configurable.
KeyType Body A string indicating the key typeClosed The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519). of the template as defined by the CA. The field is not configurable.
FriendlyName Body A string indicating the Keyfactor Command friendly name of the template. Template friendly names, if configured, appear in the dropdowns for PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment, and CSR generation in place of the template names. This can be useful in environments where the template names are long or not very human readable.
KeyRetention Body

A string indicating the type of key retention certificates enrolled with this template will use to store their private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. in Keyfactor Command. ClosedShow key retention details.

KeyRetentionDays Body An integer indicating the number of days a certificate’s private key will be retained in Keyfactor Command before being scheduled for deletion, if private key retention is enabled.
KeyArchival Body

A Boolean indicating whether the template has been configured with the key archival setting in Active Directory (true) or not (false). This is a reference field and is not configurable.

EnrollmentFields Body

An object containing custom enrollment fields. These are configured on a per-template basis to allow you to submit custom fields with CSR enrollments and PFX enrollments to supply custom request attributes to the CA during the enrollment process. This functionality offers such benefits as:

  • Preventing users from requesting invalid certificates, based on your specific certificate requirements per template.
  • Providing additional information to the CA with the CSR.

Once created on the template, these values are shown in Keyfactor Command on the PFX and CSR enrollment pages in the Additional Enrollment Fields section. The fields are mandatory during enrollment. The data will appear on the CA / Issued Certificates attribute tab for certificates enrolled with a template configured with Keyfactor Command enrollment fields.

ClosedShow enrollment field details.

For example:

"EnrollmentFields": [
   {
      "Id": 3,
      "Name": "MyCustomField",
      "Options": ["Green","Red","Yellow","Blue"],
      "DataType": 2
   }
]
MetadataFields Body

An object containing template-level metadata field settings. Template-level metadata field configurations can override global metadata field configurations in these possible ways:

  • Configuration on the metadata field of required, optional or hidden.

  • The default value for the metadata field.

  • A regular expression defined for the field (string fields only) against which entered data will be validated along with its associated message.

  • For fields of data type multiple choice, the list of values that appear in multiple choice dropdowns.

Metadata field settings defined on a template apply to enrollments made with that template only. Template-level metadata field settings, if defined, take precedence over global-level metadata field settings.

ClosedShow metadata field details.

For example:

"MetadataFields": [
   {
      "Id": 4,
      "DefaultValue": "reggie.wallace@keyexample.com",
      "MetadataId": 4,
      "Validation": "^[a-zA-Z0-9'_\\.\\-]*@(keyexample\\.org|keyexample\\.com)$",
      "Enrollment": 1,
      "Message": "Your email address must be of the form user@keyexample.com or fname.lname@keyexample.com."
   },
   {
      "Id": 13,
      "DefaultValue": "E-Business",
      "MetadataId": 5,
      "Validation": "",
      "Enrollment": 0,
      "Message": "",
      "Options": "Accounting,E-Business,Executive,HR,IT,Marketing,R&D,Sales"
   }
]
AllowedEnrollmentTypes Body

An integer indicating the type of enrollment allowed for the certificate template. Setting these options causes the template to appear in dropdowns in the corresponding section of the Management Portal. In the case of CSR Enrollment and PFX Enrollment, the templates only appear in dropdowns on the enrollment pages if they are available for enrollment from a CA also configured for enrollment within Keyfactor Command. See Adding or Modifying a CA Record in the Keyfactor Command Reference Guide for more information. ClosedShow allowed enrollment type details.

TemplateRegexes Body

An object containing individual template-level regular expressions against which to validate the subject data. Regular expressions defined on a template apply to enrollments made with that template only. Template-level regular expressions, if defined, take precedence over system-wide regular expressions. For more information about system-wide regular expressions, see GET Templates Settings. ClosedShow regular expression details.

Name Description
TemplateId The Keyfactor Command reference ID of the certificate template the regular expression is associated with.
SubjectPart A string indicating the portion of the subject the regular expression applies to (e.g. CNClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).).
RegEx

A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment pages of the Keyfactor Command Management Portal or using an APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. enrollment method will be validated.

Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts.

ClosedShow regular expression examples.

Error A string specifying the error message displayed to the user when the subject part referenced in the CSR or entered for a PFX enrollment does not match the given regular expression. Note that the error message already includes a leading string with the subject part (e.g. "Common Name:" or "Invalid CN provided:" depending on the interface used). Your custom message follows this.

For example:

"TemplateRegexes": [
   {
      "TemplateId": 57,
      "SubjectPart": "O",
      "Regex": "^(?:Key Example Company|Key Example\, Inc\.)$",
      "Error": "Organization must be Key Example, Inc or Key Example Company."
   }
]
TemplateDefaults Body

An object containing individual template-level template default settings. Template defaults defined on a template apply to enrollments made with that template only. Template-level defaults, if defined, take precedence over system-wide template defaults. For more information about system-wide template defaults, see GET Templates Settings. ClosedShow template default details.

For example:

"TemplateDefaults": [
   {
      "SubjectPart": "L",
      "Value": "Denver"
   },
   {
      "SubjectPart": "ST",
      "Value": "Colorado"
   }
]
TemplatePolicy Body

An object containing the individual template-level template policy settings. Template policies defined on a template apply to enrollments made with that template only. Template-level policies, if defined, take precedence over system-wide template policies. For more information about system-wide template policies, see GET Templates Settings. ClosedShow template policy details.

For example:

"TemplatePolicy": {
   "TemplateId": 17,
   "RSAValidKeySizes": [
      2048,
      4096
   ],
   "ECCValidCurves": [
      "1.2.840.10045.3.1.7",
      "1.3.132.0.34"
      "1.3.132.0.35"
   ],
   "AllowKeyReuse": false,
   "AllowWildcards": true,
   "RFCEnforcement": true,
   "AllowEd448": false,
   "AllowEd25519": false
}
UseAllowedRequesters Body A Boolean that indicates whether the Restrict Allowed Requesters option should be enabled (true) or not (false). The Restrict Allowed Requesters option is used to select Keyfactor Command security roles that a user must belong to in order to successfully enroll for certificates in Keyfactor Command using this template. This is typically used for EJBCA templates and Microsoft templates that are not in the local Active Directory forestClosed An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers., since in these cases, Keyfactor Command cannot make use of the access control model of the CA itself to determine which users can enroll for certificates; this setting replaces that functionality. This setting is similar to setting request certificates for the selected security roles at the template level on a Microsoft CA. In addition to granting permissions at the template level, you need enable the Restrict Allowed Requesters option to grant permissions at the CA level. See Adding or Modifying a CA Record in the Keyfactor Command Reference Guide for more information.
AllowedRequesters Body

An object containing the list of Keyfactor Command security roles—as strings—that have been granted enroll permission on the template.

For example:

"AllowedRequesters": [
   "Administrator",
   "Power Users",
   "Revokers"
]
RequiresApproval Body

A Boolean indicating whether the template has been configured with the Microsoft CA certificate manager approval option enabled (true) or not (false).

Important:  Any templates that are configured on the Microsoft CA Issuance Requirements tab for CA certificate manager approval cannot be used for enrollment and associated alerting in Keyfactor Command without configuring private key retention. Any of the enabled private key retention settings (settings other than none as described for KeyRetention) will allow a template requiring manager approval to work with Keyfactor Command PFX and CSR enrollment.

Figure 427: Microsoft Issuance Requirements on a Template for Manager Approval

KeyUsage Body

An integer indicating the total key usage of the certificate. Key usage is stored in Active Directory as a single value made of a combination of values. ClosedShow value details.

For example, a value of 160 would represent a key usage of digital signature with key encipherment. A value of 224 would add nonrepudiation to those.

Curve Body

A string indicating the OIDClosed Object identifiers or OIDs are a standardized system for identifying any object, concept, or "thing" with a globally unambiguous persistent name. of the elliptic curve algorithm configured for the template, for ECC templates. Well-known OIDs include:

  • 1.2.840.10045.3.1.7 = P-256/prime256v1/secp256r1

  • 1.3.132.0.34 = P-384/secp384r1

  • 1.3.132.0.35 = P-521/secp521r1

Table 618: PUT Templates Response Body

Name Description
Id An integer indicating the ID of the template in Keyfactor Command.
CommonName A string containing the common name (short name) of the template. This name typically does not contain spaces. For a template created using a Microsoft management tool, this will be the Microsoft template name. For a template generated for an EJBCA CA, this will be built using a naming scheme of <end entity profile name>_<certificate profile name>.This field is populated based on information retrieved from the CA and is not configurable.
TemplateName A string containing the name of the template. For a template created using a Microsoft management tool, this will be the Microsoft template display name. For a template generated for an EJBCA CA, this will be built using a naming scheme of <end entity profile name> (<certificate profile name>). This field is populated based on information retrieved from the CA and is not configurable.
Oid A string containing the object ID of the template in Active Directory. For Microsoft templates, this field is populated from Active Directory. For EJBCA templates, this field is generated within Keyfactor Command as an object identifierClosed Object identifiers or OIDs are a standardized system for identifying any object, concept, or "thing" with a globally unambiguous persistent name., but does not follow official OID conventions. The field is not configurable.
KeySize A string indicating the minimum supported key size of the template as defined by the CA. The field is not configurable.
KeyType A string indicating the key type of the template as defined by the CA. The field is not configurable.
ForestRoot A string indicating the forest root of the template. For Microsoft templates, this field is populated from Active Directory and is not configurable.
Note:  The ForestRoot has been replaced by the ConfigurationTenant from release 10, but is retained for backwards compatibility.
ConfigurationTenant A string indicating the configuration tenantClosed A grouping of CAs. The Microsoft concept of forests is not used in EJBCA so to accommodate the new EJBCA functionality, and to avoid confusion, the term forest needed to be renamed. The new name is configuration tenant. For EJBCA, there would be one configuration tenant per EJBCA server install. For Microsoft, there would be one per forest. Note that configuration tenants cannot be mixed, so Microsoft and EJBCA cannot exist on the same configuration tenant. of the template. For Microsoft templates, this field is populated from Active Directory. For EJBCA templates, this field is populated from the Keyfactor Command CA record. The field is not configurable.
FriendlyName A string indicating the Keyfactor Command friendly name of the template. Template friendly names, if configured, appear in the dropdowns for PFX enrollment, CSR enrollment, and CSR generation in place of the template names. This can be useful in environments where the template names are long or not very human readable.
KeyRetention

A string indicating the type of key retention certificates enrolled with this template will use to store their private key in Keyfactor Command. ClosedShow key retention details.

KeyRetentionDays An integer indicating the number of days a certificate’s private key will be retained in Keyfactor Command before being scheduled for deletion, if private key retention is enabled.
KeyArchival

A Boolean indicating whether the template has been configured with the key archival setting in Active Directory (true) or not (false). This is a reference field and is not configurable.

EnrollmentFields

An object containing custom enrollment fields. These are configured on a per-template basis to allow you to submit custom fields with CSR enrollments and PFX enrollments to supply custom request attributes to the CA during the enrollment process. This functionality offers such benefits as:

  • Preventing users from requesting invalid certificates, based on your specific certificate requirements per template.
  • Providing additional information to the CA with the CSR.

Once created on the template, these values are shown in Keyfactor Command on the PFX and CSR enrollment pages in the Additional Enrollment Fields section. The fields are mandatory during enrollment. The data will appear on the CA / Issued Certificates attribute tab for certificates enrolled with a template configured with Keyfactor Command enrollment fields.

Note:  These are not metadata fields, so they are not stored in the Keyfactor Command database, but simply passed through to the CA. The CA in turn could, via a gateway or policy module, use this data to perform required actions.

ClosedShow enrollment field details.

MetadataFields

An object containing template-level metadata field settings. Template-level metadata field configurations can override global metadata field configurations in these possible ways:

  • Configuration on the metadata field of required, optional or hidden.

  • The default value for the metadata field.

  • A regular expression defined for the field (string fields only) against which entered data will be validated along with its associated message.

  • For fields of data type multiple choice, the list of values that appear in multiple choice dropdowns.

Metadata field settings defined on a template apply to enrollments made with that template only. Template-level metadata field settings, if defined, take precedence over global-level metadata field settings.

ClosedShow metadata field details.

AllowedEnrollmentTypes

An integer indicating the type of enrollment allowed for the certificate template. Setting these options causes the template to appear in dropdowns in the corresponding section of the Management Portal. In the case of CSR Enrollment and PFX Enrollment, the templates only appear in dropdowns on the enrollment pages if they are available for enrollment from a CA also configured for enrollment within Keyfactor Command. See Adding or Modifying a CA Record in the Keyfactor Command Reference Guide for more information. ClosedShow allowed enrollment type details.

TemplateRegexes

An object containing individual template-level regular expressions against which to validate the subject data. Regular expressions defined on a template apply to enrollments made with that template only. Template-level regular expressions, if defined, take precedence over system-wide regular expressions. For more information about system-wide regular expressions, see GET Templates Settings. ClosedShow regular expression details.

Name Description
TemplateId The Keyfactor Command reference ID of the certificate template the regular expression is associated with.
SubjectPart A string indicating the portion of the subject the regular expression applies to (e.g. CN).
RegEx

A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment pages of the Keyfactor Command Management Portal or using an API enrollment method will be validated.

Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts.

ClosedShow regular expression examples.

Error A string specifying the error message displayed to the user when the subject part referenced in the CSR or entered for a PFX enrollment does not match the given regular expression. Note that the error message already includes a leading string with the subject part (e.g. "Common Name:" or "Invalid CN provided:" depending on the interface used). Your custom message follows this.
TemplateDefaults

An object containing individual template-level template default settings. Template defaults defined on a template apply to enrollments made with that template only. Template-level defaults, if defined, take precedence over system-wide template defaults. For more information about system-wide template defaults, see GET Templates Settings. ClosedShow template default details.

TemplatePolicy

An object containing the individual template-level template policy settings. Template policies defined on a template apply to enrollments made with that template only. Template-level policies, if defined, take precedence over system-wide template policies. For more information about system-wide template policies, see GET Templates Settings. ClosedShow template policy details.

UseAllowedRequesters A Boolean that indicates whether the Restrict Allowed Requesters option should be enabled (true) or not (false). The Restrict Allowed Requesters option is used to select Keyfactor Command security roles that a user must belong to in order to successfully enroll for certificates in Keyfactor Command using this template. This is typically used for EJBCA templates and Microsoft templates that are not in the local Active Directory forest, since in these cases, Keyfactor Command cannot make use of the access control model of the CA itself to determine which users can enroll for certificates; this setting replaces that functionality. This setting is similar to setting request certificates for the selected security roles at the template level on a Microsoft CA. In addition to granting permissions at the template level, you need enable the Restrict Allowed Requesters option to grant permissions at the CA level. See Adding or Modifying a CA Record in the Keyfactor Command Reference Guide for more information.
AllowedRequesters

An object containing the list of Keyfactor Command security roles—as strings—that have been granted enroll permission on the template.

DisplayName A string indicating the Keyfactor Command display name of the template. If a template friendly name is configured, this is used as the display name. If not, the template name is used. The display name appears in the dropdowns for PFX enrollment, CSR enrollment, and CSR generation. The display name is a generated field and is not directly configurable.
RequiresApproval

A Boolean indicating whether the template has been configured with the Microsoft CA certificate manager approval option enabled (true) or not (false).

Important:  Any templates that are configured on the Microsoft CA Issuance Requirements tab for CA certificate manager approval cannot be used for enrollment and associated alerting in Keyfactor Command without configuring private key retention. Any of the enabled private key retention settings (settings other than none as described for KeyRetention) will allow a template requiring manager approval to work with Keyfactor Command PFX and CSR enrollment.

Figure 428: Microsoft Issuance Requirements on a Template for Manager Approval

KeyUsage

An integer indicating the total key usage of the certificate. Key usage is stored in Active Directory as a single value made of a combination of values. ClosedShow value details.

For example, a value of 160 would represent a key usage of digital signature with key encipherment. A value of 224 would add nonrepudiation to those.

ExtendedKeyUsages

An object containing the extended key usage information for the template. This field is populated from the CA and is not configurable. ClosedShow extended key usage details.

Curve

A string indicating the OID of the elliptic curve algorithm configured for the template, for ECC templates. Well-known OIDs include:

  • 1.2.840.10045.3.1.7 = P-256/prime256v1/secp256r1

  • 1.3.132.0.34 = P-384/secp384r1

  • 1.3.132.0.35 = P-521/secp521r1