POST Certificate Stores Approve

Documentation Suite v10.2

The POST /CertificateStores/Approve method is used to approve one or more certificate stores currently in the pending state—having been discovered using the certificate store discover option (see PUT Certificate Stores Discovery Job). If more than one certificate store is included in the array, all stores must be of the same store type (e.g. Java keystore). This endpoint An endpoint is a URL that enables the API to gain access to resources on a server. returns 204 with no content upon success.

Tip: The following permissions (see Security Overview) are required to use this feature:

CertificateStoreManagement: Modify

Permissions for certificate stores can be set at either the global or certificate store container level. See Container Permissions in the Keyfactor Command Reference Guide for more information about global vs container permissions.

Table 273: POST Certificate Stores Approve Input Parameters

Name

Description

Body

Required. The GUID of the pending certificate store.

Use the GET /CertificateStores method (see GET Certificate Stores) with a query of "Approved -eq false" to retrieve a list of all your unapproved certificate stores to determine the GUID of the store.

ContainerId

Body

An integer that identifies the container in which the certificate store should be placed on approval. Use the GET /CertificateStores/Containers method (see GET Certificate Store Containers) to retrieve a list of your defined certificate store containers to determine the container ID to use.

CertStoreType

Body

Required. An integer indicating the ID of the certificate store type, as defined in Keyfactor Command, for this certificate store. (0-Javakeystore,2-PEMFile, 3-F5SSLProfiles,4-IISRoots, 5-NetScaler, 6-IISPersonal, 7-F5WebServer, 8-IISRevoked, 9-F5WebServerREST, 10-F5SSLProfilesREST, 11-F5CABundlesREST, 100-AmazonWebServices, 101-FileTransferProtocol)

Properties

Body

Required^*. Some types of certificate stores have additional properties that are stored in this parameter A parameter or argument is a value that is passed into a function in an application.. The data is stored in a series of, typically, key value pairs that define the property name and value (see GET Certificate Store Types for more information).

When reading this field, the values are returned as simple key value pairs, with the values being individual values. When writing, the values are specified as objects, though they are typically single values.

For example, on a GET request for a PEM store configured with a separate private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure., the contents of this field might be:

"{
\"privateKeyPath\":\"/opt/app/mystore.key\",
\"separatePrivateKey\":\"true\"
}"

However, the syntax used when updating the properties sets the value as a key value pair using value as the key. For example, on a POST or PUT request for a PEM store configured with a separate private key, the contents of this field might be:

"{
\"privateKeyPath\":{\"value\":\"/opt/app/mystore.key\"},
\"separatePrivateKey\":{\"value\":\"true\"}
}"

This field is required for certificate store types that store additional properties in this parameter.

Password

Body

Required. An array indicating the source for and details of the credential information Keyfactor Command will use to access the certificates in a specific certificate store (the store password). This is different from credential information Keyfactor Command uses to access a certificate store server as a whole. The former (this setting) is typically used for Java keystores; the latter is typically used for certificates stores on NetScaler and F5 devices and set at the server level, not the certificate store level (see POST Certificate Stores Server).

Certificate stores that require credentials support up to three possible credential options:

Use no store password.
This option is supported for Java keystores that would normally require a password, but can be configured with the no password option (see Value, below).
Store the credential information in the Keyfactor secrets table.
A Keyfactor secret is a user-defined password that is encrypted and stored securely in the Keyfactor Command database.
Load the credential information from a PAM provider.
See Privileged Access Management (PAM) in the Keyfactor Command Reference Guide and PAM Providers for more information.

Show password details.

Name

Description

Value

A string—submitted as an object—indicating a password to be stored as a Keyfactor secret.

Tip: To set the no password option on a store, submit the password with a null value. For example:

"Password": {
"Value": {null}
}

To set the value to a string to be stored in the Keyfactor secrets table, include the password in quotes. For example:

"Password": {
"Value": "MyVerySecurePassword"
}

SecretTypeGuid

A string indicating the Keyfactor Command reference GUID for the type of credentials. This value is automatically set by Keyfactor Command.

InstanceId

The Keyfactor Command reference ID for the secret provider. If you are using a secret provider with an integer ID, this will be used. This value is automatically set by Keyfactor Command.

InstanceGuid

The Keyfactor Command reference GUID for the secret provider. If you are using a secret provider with a GUID ID, this will be used. This value is automatically set by Keyfactor Command.

ProviderTypeParameterValues

An array containing the values for the provider types specified by ProviderTypeParams. Show PAM provider type parameter value details.

Name

Description

The Keyfactor Command reference ID for the PAM provider type parameter.

Value

The value set for the parameter (e.g. the name of the CyberArk folder where the protected object that stores the username or password resides).

InstanceId

The Keyfactor Command reference ID for the PAM provider. If you are attaching to something with an integer Id, this will be used.

InstanceGuid

The Keyfactor Command reference GUID for the PAM provider. If you are attaching to something with a GUID ID, this will be used.

Provider

An array containing information about the provider. Show PAM provider details.

Name

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider.

Name

A string indicating the internal name for the PAM provider.

Area

An integer indicating the area of Keyfactor Command the provider is used for. PAM providers generally have a value of 1, indicating they are used for certificate stores.

ProviderType

An array containing details about the provider type for the provider, including:

Name

Description

A string indicating the Keyfactor Command reference GUID for the provider type.

Name

A string that indicates the name of the provider type.

Provider

Type

Params

An array of parameters that the provider type uses for data input in Keyfactor Command when creating new PAM provider and certificate store records.

See below instance of ProviderTypeParam for details.

ProviderType

ParamValues

An array containing the values for the provider types specified by ProviderTypeParams. See the previous level of ProviderTypeParamValues for details.

SecuredAreaId

An integer indicating the Keyfactor Command reference ID for the certificate store container the PAM provider is associated with, if any.

You can create a single PAM provider for each provider type (e.g. CyberArk), however, if you have opted to organize your certificate stores into containers, you will need to create multiple providers to match your container organization structure. The container field in the PAM provider definition is not required, but if one is supplied when creating a PAM provider, the PAM provider can only be used with certificate stores in the matching container. Likewise, a PAM provider defined with no container would be available for selection when setting passwords for any certificate store that also did not specify a container. A PAM provider configured in this way could be used across a variety of certificate stores (e.g. both JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption. and F5) as long as they were not in containers.

ProviderType

Param

An array of parameters that the provider type uses for data input in Keyfactor Command when creating new PAM provider and certificate store records. Show PAM provider type parameter details.

Name

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider type parameter.

Name

A string indicating the internal name for the PAM provider type parameter.

DisplayName

A string indicating the display name for the PAM provider type parameter. For parameters with an InstanceLevel of false, this name appears on the PAM provider dialog for the parameter when a user creates a new PAM provider. For parameters with an InstanceLevel of true, this name appears on the Server dialog for the parameter when a user creates a new PAM provider.

DataType

An integer indicating the data type for the parameter. Possible values are:

1 = String
2 = Secret

InstanceLevel

A Boolean that sets whether the parameter is used to define the underlying PAM provider (false) or a field that needs to be set to a value when configuring a certificate store to use the PAM provider (true).

For an example, see GET PAM Providers.

ProviderType

An array containing details for the provider type.

Name	Description
Id	A string indicating the Keyfactor Command reference GUID for the PAM provider type parameter.
Name	A string indicating the internal name for the PAM provider type parameter.
ProviderTypeParams	Unused field

Provider

An integer indicating the Keyfactor Command reference ID for the PAM provider.

IsManaged

A Boolean indicating whether the credentials for the store are managed by a PAM provider (true) or stored in the Keyfactor secrets table (false). This value is automatically set by Keyfactor Command.

This field is required for Java keystores.

Tip: For code examples, see the Keyfactor API Endpoint Utility. To find the embedded web copy of this utility, click the help icon (

) at the top of the Keyfactor Command Management Portal page next to the Log Out button.

POST Certificate Stores Approve

Products

Solutions

Resources

Company