GET Templates Settings

Documentation Suite v10.2

The GET /Templates/Settings method is used to retrieve the global template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. policy settings Keyfactor Command. This method returns HTTP 200 OK on a success with details about the global template policy settings.

Tip: Template policies may also be set at an individual template level to apply to a single template (see PUT Templates). Template policies set at the individual template level take precedence over template policies set at the global level.

Tip: The following permissions (see Security Overview) are required to use this feature:

PkiManagement: Read

There are no input parameters for this method.

Table 613: GET Templates Settings Response Data

Value

Description

TemplateRegexes

An object containing the system-wide template regular expression settings. These apply to all enrollments that are not otherwise overridden by individual template settings, including those that do not use a template (e.g. from a standalone CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA.). Show regular expression details.

Name

Description

SubjectPart

A string indicating the portion of the subject the regular expression applies to (e.g. CN

A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).).

RegEx

A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). pages of the Keyfactor Command Management Portal or using an API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. enrollment method will be validated.

Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts.

Show regular expression examples.

Subject Part	Example
CN (Common Name A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).)	This regular expression specifies that the data entered in the field must consist of some number of characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly ".keyexample.com": ^[a-zA-Z0-9'_\.\-]*\.keyexample\.com$ The default value for the Common Name regular expression is: .+ This requires entry of at least one character in the Common Name field in the enrollment pages.
O (Organization)	This regular expression requires that the organization name entered in the field be one of "Key Example Inc", "Key Example" or "Key Example Inc.": ^(?:Key Example Inc\|Key Example\|Key Example, Inc\.)$ The period in the final company name (Key Example, Inc.) needs to be escaped in the regular expression with a slash ("\") but the comma does not.
OU (Organization Unit)	This regular expression requires that the organizational unit entered in the field be one of these four departments: ^(?:IT\|HR\|Accounting\|E-Commerce)$
L (City/Locality)	This regular expression requires that the city entered in the field be one of these five cities: ^(?:Boston\|Chicago\|New York\|London\|Dallas)$
ST (State/Province)	This regular expression requires that the state entered in the field be one of these eight states: ^(?:Massachusetts\|Illinois\|New York\|Ontario\|Texas)$
C (Country)	This regular expression requires that the country entered in the field be either US or CA: ^(?:US\|CA)$
E (Email)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the "@" made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly "@keyexample.com": ^[a-zA-Z0-9'_\.\-]*@keyexample\.com$
DNS The Domain Name System is a service that translates names into IP addresses. (Subject Alternative Name The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.: DNS Name)	This regular expression specifies that the data entered in the field must consist of some number of characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly either ".keyexample1.com" or ".keyexample2.com": ^[a-zA-Z0-9'_\.\-]*\.(?:keyexample1\.com\|keyexample2\.com)$
IPv4 (Subject Alternative Name: IPv4 Address)	This regular expression specifies that the data entered in the field must be exactly "130.101." followed by anywhere between 1 and 3 numbers followed by exactly "." followed by anywhere between 1 and 3 numbers: ^130\.101\.(?:[0-9]{1,3})\.(?:[0-9]{1,3})$ This regular expression specifies only that the IPv4 address is made up of 4 sets of between 1 and 3 numbers separated by periods: ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$
IPv6 (Subject Alternative Name: IPv6 Address)	This regular expression specifies that the data entered in the field must be made up of eight sets of between one and four numbers and/or uppercase letters separated by colons: ^(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}$
MAIL (Subject Alternative Name: Email)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the "@" made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly "@keyexample.com": ^[a-zA-Z0-9'_\.\-]*@keyexample\.com$
UPN (Subject Alternative Name: User Principal Name)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the "@" made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly "@keyexample.com": ^[a-zA-Z0-9'_\.\-]*@keyexample\.com$

Error

A string specifying the error message displayed to the user when the subject part referenced in the CSR

A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. or entered for a PFX

A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment does not match the given regular expression. Note that the error message already includes a leading string with the subject part (e.g. "Common Name:" or "Invalid CN provided:" depending on the interface used). Your custom message follows this.

For example:

"TemplateRegexes": [
   {
      "SubjectPart": "O",
      "Regex": "^(?:Key Example Company|Key Example\, Inc\.)$",
      "Error": "Organization must be Key Example, Inc or Key Example Company."
   }
]

TemplateDefaults

An object containing the system-wide template default settings. These apply to all enrollments that are not otherwise overridden by individual template settings, including those that do not use a template (e.g. from a standalone CA). Show template default details.

For example:

"TemplateDefaults": [
   {
      "SubjectPart": "L",
      "Value": "Denver"
   },
   {
      "SubjectPart": "ST",
      "Value": "Colorado"
   }
]

Note: See also the Subject Format application setting, which takes precedence over enrollment defaults at both the system-wide and template level (see Application Settings: Enrollment Tab in the Keyfactor Command Reference Guide) but does not apply to enrollment requests done through the Keyfactor API.

TemplatePolicy

An array containing the system-wide template policy settings. These apply to all enrollments that are not otherwise overridden by individual template settings, including those that do not use a template (e.g. from a standalone CA). Show template policy details.

For example:

"TemplatePolicy": {
   "RSAValidKeySizes": [
      2048,
      4096
   ],
   "ECCValidCurves": [
      "1.2.840.10045.3.1.7",
      "1.3.132.0.34"
      "1.3.132.0.35"
   ],
   "AllowKeyReuse": false,
   "AllowWildcards": true,
   "RFCEnforcement": true,
   "AllowEd448": false,	
   "AllowEd25519": false													
}

Tip: For code examples, see the Keyfactor API Endpoint Utility. To find the embedded web copy of this utility, click the help icon (

) at the top of the Keyfactor Command Management Portal page next to the Log Out button.

GET Templates Settings

Products

Solutions

Resources

Company