PUT Certificate Stores Discovery Job
The PUT /CertificateStores/DiscoveryJob method is used to schedule a discovery job for certificate stores. The certificate store discovery feature is used to scan machines and devices for existing certificates and certificate stores, which can then be configured for management in Keyfactor Command. Certificate store discovery is supported for:
- PEM
A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. and Java certificate stores discovered by the Keyfactor Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed.. Only stores to which the service account running the Keyfactor Java Agent has at least read permissions will be returned on a discover job. - F5 bundle and SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificates discovered by the Keyfactor Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. on F5 devices using the F5 REST API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. (v14 and up).
- F5 bundle and SSL certificates discovered by the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux. with a custom extension to support F5. For more information about the Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. and custom extensions, see Universal Orchestrator in the Installing Orchestrators.
- Any custom certificate store types configured to support this function.
This endpoint An endpoint is a URL that enables the API to gain access to resources on a server. returns 204 with no content upon success. The method schedules the discovery job through the orchestrator. The results of the discovery job are determined separately (see POST Certificate Stores Approve).
Permissions for certificate stores can be set at either the global or certificate store container level. See Container Permissions in the Keyfactor Command Reference Guide for more information about global vs container permissions.
Table 270: PUT Certificate Stores Discovery Job Input Parameters
| Name | In | Description |
|---|---|---|
| ClientMachine | Body | Required. A string indicating the name in Keyfactor Command of the client machine that will do the discovery. This is not necessarily the actual DNS The Domain Name System is a service that translates names into IP addresses. name of the server; the orchestrator may have been installed using an alternative as a reference name. |
| AgentId | Body | Required. A string indicating the Keyfactor Command reference GUID of the orchestrator for this store. |
| Type | Body | An integer indicating the ID of the certificate store type, as defined in Keyfactor Command, for this certificate store. (0-Javakeystore,2-PEMFile, 3-F5SSLProfiles,4-IISRoots, 5-NetScaler, 6-IISPersonal, 7-F5WebServer, 8-IISRevoked, 9-F5WebServerREST, 10-F5SSLProfilesREST, 11-F5CABundlesREST, 100-AmazonWebServices, 101-FileTransferProtocol) The default is 0 for a JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption. discovery. |
| JobExecutionTimestamp | Body | The date and time at which the discovery job should run. If no date is provided, the job will be scheduled to run immediately. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2021-05-19T16:23:01Z). |
| Dirs | Body | Required. A string containing the directory or directories to search during the discovery job. Multiple directories should be separated by commas. Java For Java discovery, enter at a minimum either "/" for a Linux server or "c:\" for a Windows server. PEMFor PEM discovery, enter at a minimum either "/" for a Linux server or "c:\" for a Windows server. F5For F5 discovery, enter "/". |
| IgnoredDirs | Body | A string containing the directories that should not be included in the search. Multiple directories should be separated by commas. |
| Extensions | Body | A string containing the file extensions for which to search. For example, search for files with the extension "jks" in order to exclude files with other extensions such as "txt". The dot should not be included when specifying extensions. |
| NamePatterns | Body | A string against which to compare the file names of certificate store files and return only those that contain the specified string (e.g. "myjks"). |
| SymLinks | Body | A Boolean that sets whether the job should follow symbolic links on Linux and UNIX operating systems and report both the actual location of a found certificate store file in addition to the symbolic link pointing to the file. This option is ignored on Windows. |
| Compatibility | Body | A Boolean that sets whether the job will run using the compatibility mode introduced in Java version 1.8 to locate both JKS and PKCS12 type files (true) or not (false). This option applies only to Java keystore discover jobs. |
| ServerUsername | Body | Required*. The username used to connect to the certificate store server.Show server username details. Note: Secret data is stored in the secrets table or a PAM provider and is not returned in responses. This field is required only for select certificate store types that require authentication at the server level. These include F5, FTP, NetScaler, and any custom method you've defined to support this. |
| ServerPassword | Body |
Required*. The password used to connect to the certificate store server. Note: Secret data is stored in the secrets table or a PAM provider and is not returned in responses.
This field is required only for select certificate store types that require authentication at the server level. These include F5, FTP, NetScaler, and any custom method you've defined to support this. |
| ServerUseSsl | Body | A Boolean that indicates whether Keyfactor Command will use SSL to communicate with the certificate store server (true) or not (false). The default is false. |
) at the top of the Keyfactor Command Management Portal page next to the Log Out button.
