GET Certificates

The GET /Certificates method is used to return a list of certificates with certificate details. Results can be limited to selected keys using filtering, and URL parameters can be used to specify paging and the level of information detail. This method returns HTTP 200 OK on a success with the requested certificates, as determined by filtering, and their certificate details.

Tip:  The following permissions (see Security Overview) are required to use this feature:

Certificates: Global Read, or Collection ID Read

Certificate permission can be granted at either the global or collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). level. See note under CollectionId, below.

Table 206: GET Certificates Input Parameters

Name In Description
includeLocations Query A Boolean that sets whether to include the Locations data in the response (true) or not (false). If false is selected, the LocationsCount and Locations fields will still appear in the response, but they will contain no data. The default is false.
includeMetadata Query A Boolean that sets whether to include the Metadata data in the response (true) or not (false). If false is selected, the Metadata field will still appear in the response, but it will contain no data. The default is false.
includeHasPrivateKey Query A Boolean that sets whether to include the correct value for HasPrivateKey in the response (true) or not (false). If false is selected, the HasPrivateKey field will appear in the response with a value of false regardless of whether the certificate actually has a stored private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. or not. The default is false.
CollectionId Query

An integer specifying an optional certificate collection identifier to validate that the user executing the request has sufficient permissions to do so. If a certificate collection ID is not supplied, the user must have global permissions to complete the action. Supplying a certificate collection ID allows for a check of the user's certificate collection-level permissions to determine whether the user has sufficient permissions at a collection level to complete the action. See Certificate Permissions in the Keyfactor Command Reference Guide for more information.

includeRevoked Query A Boolean that sets whether to include revoked certificates in the results (true) or not (false). The default is false.
includeExpired Query A Boolean that sets whether to include expired certificates in the results (true) or not (false). The default is false.
queryString Query A string containing a query to limit the results (e.g. field1 -eq value1 AND field2 -gt value2). The default is to return all records. Fields available for querying through the APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. for the most part match those that appear in the Keyfactor Command Management Portal search dropdowns for the same feature. For querying guidelines, refer to the Keyfactor Command Reference GuideCertificate Search Page. The query fields supported for this endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server. are:
  • ArchivedKey
  • EKU
  • OU
  • SigningAlgorithm
  • CertId
  • EKUName
  • NetBIOSPrincipal (alias: PrincipalName)
  • SSLDNSName
  • CA
  • HasPrivateKey
  • PublicKey
  • SSLIPAddress (alias: SslHostName)
  • CertState
  • ImportDate
  • NetBIOSRequester (alias: RequesterName)
  • SSLNetworkName
  • CertStoreFQDN (alias: JavaKeystoreFQDN)
  • IssuedDate (aliases: NotBefore and EffectiveDate)
  • RevocationDate (alias: RevocationEffDate)
  • SSLPort
  • CertStorePath (alias: JavaKeystorePath)
  • IssuerDN
  • Revoker
  • SAN
  • CN (alias: IssuedCN)
  • KeySize (alias: KeySizeInBits)
  • RFC2818Compliant
  • TemplateDisplayName (alias: TemplateName)
  • DN (alias: IssuedDN)
  • KeyType
  • SelfSigned
  • TemplateShortName
  • ExpirationDate (alias: NotAfter)
  • KeyUsage
  • SerialNumber
  • Thumbprint
The following fields have been deprecated and will be ignored if included in a request:
  • CARequestID
  • CertRequestId
  • IsPfx
  • RequestResolutionDate
Note:  Queries may be done using either the primary field name or the field alias(es).
pageReturned Query An integer that specifies how many multiples of the returnLimit to skip and offset by before returning results, to enable paging. The default is 1.
returnLimit Query An integer that specifies how many results to return per page. The default is 50.
sortField Query A string containing the property by which the results should be sorted. Fields available for sorting through the API for the most part match those that appear as sortable columns in the Keyfactor Command Management Portal. The default sort field is Id.
sortAscending Query An integer that sets the sort order on the returned results. A value of 0 sorts results in ascending order while a value of 1 sorts results in descending order. The default is ascending.

Table 207: GET Certificates Response Data

Name Description
Id An integer indicating the Keyfactor Command reference ID of the certificate.
Thumbprint A string indicating the thumbprint of the certificate.
SerialNumber A string indicating the serial number of the certificate.
IssuedDN A string indicating the distinguished name of the certificate.
IssuedCN A string indicating the common nameClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). of the certificate.
ImportDate The date, in UTC, on which the certificate was imported into Keyfactor Command.
NotBefore The date, in UTC, on which the certificate was issued by the certificate authorityClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA..
NotAfter The date, in UTC, on which the certificate expires.
IssuerDN A string indicating the distinguished name of the issuer.
PrincipalId An integer indicating the Keyfactor Command reference ID of the principal (UPN) that requested the certificate. Typically, this field is only populated for end user certificates requested through Keyfactor Command (e.g. Mac auto-enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). certificates). See also PrinicpalName.
TemplateId An integer indicating the Keyfactor Command reference ID of the templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. associated with the certificate.
CertState An integer specifying the state of the certificate. ClosedShow certificate state details.
KeySizeInBits An integer specifying the key sizeClosed The key size or key length is the number of bits in a key used by a cryptographic algorithm. in bits.
KeyType An integer specifying the key typeClosed The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519). of the certificate. ClosedShow key type details.
RequesterId An integer indicating the Keyfactor Command reference ID of the identity that requested the certificate. See also RequesterName.
IssuedOU A string indicating the organizational unit of the certificate.
IssuedEmail A string indicating the email address of the certificate.
KeyUsage

An integer indicating the total key usage of the certificate. Key usage is stored in Active Directory as a single value made of a combination of values. ClosedShow value details.

For example, a value of 160 would represent a key usage of digital signature with key encipherment. A value of 224 would add nonrepudiation to those.
SigningAlgorithm A string indicating the algorithm used to sign the certificate.
CertStateString A string containing the certificate state. The possible values are:
  • Unknown (0)
  • Active (1)
  • Revoked (2)
  • Denied (3)
  • Failed (4)
  • Pending (5)
  • Certificate Authority (6)
  • Parent Certificate Authority (7)
  • External Validation (8)
KeyTypeString A string containing the key type description (e.g. RSA) as per the types and descriptions shown for KeyType.
RevocationEffDate The date, in UTC, on which the certificate was revoked, if applicable.
RevocationReason An integer indicating the reason the certificate was revoked. ClosedShow revocation reason details.
RevocationComment An internally used Keyfactor Command field.
CertificateAuthorityId An integer indicating the Keyfactor Command reference ID of the certificate authority that issued the certificate.
CertificateAuthorityName A string indicating the certificate authority that issued the certificate.
TemplateName A string indicating the name of the template that was used when issuing the certificate.
ArchivedKey A Boolean that indicates whether the certificate has a key archived in the issuing CA (true) or not (false).
HasPrivateKey A Boolean that indicates whether the certificate has a private key stored in Keyfactor Command (true) or not (false)
PrincipalName A string containing the name of the principal (UPN) that requested the certificate. Typically, this field is only populated for end user certificates requested through Keyfactor Command (e.g. Mac auto-enrollment certificates).
CertRequestId An integer containing the Keyfactor Command reference ID of the certificate request.
RequesterName A string containing the name of the identity that requested the certificate.
ContentBytes A string containing the certificate as bytes.
ExtendedKeyUsages

An array containing the extended key usages associated with the certificate. ClosedShow Extended Key details.
SubjectAltNameElements An array containing the subject alternative nameClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. elements of the certificate. ClosedShow SAN details.
CRLDistributionPoints An array containing the distribution points for the certificate revocation lists the certificate could be in. ClosedShow CRL distribution point details.
LocationsCount An array containing a count of how many certificates are in each location type. This returns a list of type and count combination. For example:
"LocationsCount": [
   {
      "Type": "IIS",
      "Count": 2
   },
   {
      "Type": "F5-SL-REST",
      "Count": 1
   }
]
SSLLocations

An array containing the locations where the certificate is found using SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. discovery. ClosedShow SSL location details.
Locations An array containing the locations where the certificate is found using certificate store inventorying. ClosedShow certificate store location details.
MetadataClosed Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. An array containing the metadata fields populated for the certificate.
CertificateKeyId An integer indicating the Keyfactor Command reference ID for the private key, if one exists, and public keyClosed In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. of the certificate.
CARowIndex

An integer containing the CA's reference ID for certificate.

Note:  The CARowIndex has been replaced by CARecordId, but will remain for backward compatibility. It will only contain a non-zero value for certificates issued by Microsoft CAs. For Microsoft CA certificates, the CARowIndex will be equal to the CARecordId value parsed to an integer.
CARecordId A string containing the CA's reference ID for certificate.
DetailedKeyUsage

An array containing details of the key usage configured for the certificate. ClosedShow detailed key usage details.
KeyRecoverable A Boolean that indicates whether the certificate key is recoverable (true) or not (false).
Curve

A string indicating the OID of the elliptic curve algorithm configured for the certificate, for ECC templates. Well-known OIDs include:

  • 1.2.840.10045.3.1.7 = P-256/prime256v1/secp256r1

  • 1.3.132.0.34 = P-384/secp384r1

  • 1.3.132.0.35 = P-521/secp521r1
Tip:  For code examples, see the Keyfactor API Endpoint Utility. To find the embedded web copy of this utility, click the help icon () at the top of the Keyfactor Command Management Portal page next to the Log Out button.