PUT Templates

A string indicating the type of key retention certificates enrolled with this template will use to store their private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. in Keyfactor Command. Show key retention details.

A Boolean indicating whether the template has been configured with the key archival setting in Active Directory (true) or not (false). This is a reference field and is not configurable.

An object containing template-level metadata field settings. Template-level metadata field configurations can override global metadata field configurations in these possible ways:

• Configuration on the metadata field of required, optional or hidden.

• The default value for the metadata field.

• A regular expression defined for the field (string fields only) against which entered data will be validated along with its associated message.

• For fields of data type multiple choice, the list of values that appear in multiple choice dropdowns.

Metadata field settings defined on a template apply to enrollments made with that template only. Template-level metadata field settings, if defined, take precedence over global-level metadata field settings.

Show metadata field details.

For example:

"MetadataFields": [
   {
      "Id": 4,
      "DefaultValue": "reggie.wallace@keyexample.com",
      "MetadataId": 4,
      "Validation": "^[a-zA-Z0-9'_\\.\\-]*@(keyexample\\.org|keyexample\\.com)$",
      "Enrollment": 1,
      "Message": "Your email address must be of the form user@keyexample.com or fname.lname@keyexample.com."
   },
   {
      "Id": 13,
      "DefaultValue": "E-Business",
      "MetadataId": 5,
      "Validation": "",
      "Enrollment": 0,
      "Message": "",
      "Options": "Accounting,E-Business,Executive,HR,IT,Marketing,R&D,Sales"
   }
]

An object containing individual template-level regular expressions against which to validate the subject data. Regular expressions defined on a template apply to enrollments made with that template only. Template-level regular expressions, if defined, take precedence over system-wide regular expressions. For more information about system-wide regular expressions, see GET Templates Settings. Show regular expression details.

Name	Description
TemplateId	The Keyfactor Command reference ID of the certificate template the regular expression is associated with.
SubjectPart	A string indicating the portion of the subject the regular expression applies to (e.g. CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).).
RegEx	A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment pages of the Keyfactor Command Management Portal or using an API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. enrollment method will be validated. Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts. Show regular expression examples. Subject Part Example CN (Common Name A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).) This regular expression specifies that the data entered in the field must consist of some number of characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly ".keyexample.com": ^[a-zA-Z0-9'_\.\-]*\.keyexample\.com$ The default value for the Common Name regular expression is: .+ This requires entry of at least one character in the Common Name field in the enrollment pages. O (Organization) This regular expression requires that the organization name entered in the field be one of "Key Example Inc", "Key Example" or "Key Example Inc.": ^(?:Key Example Inc|Key Example|Key Example, Inc\.)$ The period in the final company name (Key Example, Inc.) needs to be escaped in the regular expression with a slash ("\") but the comma does not. OU (Organization Unit) This regular expression requires that the organizational unit entered in the field be one of these four departments: ^(?:IT|HR|Accounting|E-Commerce)$ L (City/Locality) This regular expression requires that the city entered in the field be one of these five cities: ^(?:Boston|Chicago|New York|London|Dallas)$ ST (State/Province) This regular expression requires that the state entered in the field be one of these eight states: ^(?:Massachusetts|Illinois|New York|Ontario|Texas)$ C (Country) This regular expression requires that the country entered in the field be either US or CA: ^(?:US|CA)$ E (Email) This regular expression specifies that the data entered in the field must consist of some number of characters prior to the "@" made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly "@keyexample.com": ^[a-zA-Z0-9'_\.\-]*@keyexample\.com$ DNS The Domain Name System is a service that translates names into IP addresses. (Subject Alternative Name The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.: DNS Name) This regular expression specifies that the data entered in the field must consist of some number of characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly either ".keyexample1.com" or ".keyexample2.com": ^[a-zA-Z0-9'_\.\-]*\.(?:keyexample1\.com|keyexample2\.com)$ IPv4 (Subject Alternative Name: IPv4 Address) This regular expression specifies that the data entered in the field must be exactly "130.101." followed by anywhere between 1 and 3 numbers followed by exactly "." followed by anywhere between 1 and 3 numbers: ^130\.101\.(?:[0-9]{1,3})\.(?:[0-9]{1,3})$ This regular expression specifies only that the IPv4 address is made up of 4 sets of between 1 and 3 numbers separated by periods: ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$ IPv6 (Subject Alternative Name: IPv6 Address) This regular expression specifies that the data entered in the field must be made up of eight sets of between one and four numbers and/or uppercase letters separated by colons: ^(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}$ MAIL (Subject Alternative Name: Email) This regular expression specifies that the data entered in the field must consist of some number of characters prior to the "@" made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly "@keyexample.com": ^[a-zA-Z0-9'_\.\-]*@keyexample\.com$ UPN (Subject Alternative Name: User Principal Name) This regular expression specifies that the data entered in the field must consist of some number of characters prior to the "@" made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly "@keyexample.com": ^[a-zA-Z0-9'_\.\-]*@keyexample\.com$
Error	A string specifying the error message displayed to the user when the subject part referenced in the CSR or entered for a PFX enrollment does not match the given regular expression. Note that the error message already includes a leading string with the subject part (e.g. "Common Name:" or "Invalid CN provided:" depending on the interface used). Your custom message follows this.

For example:

"TemplateRegexes": [
   {
      "TemplateId": 57,
      "SubjectPart": "O",
      "Regex": "^(?:Key Example Company|Key Example\, Inc\.)$",
      "Error": "Organization must be Key Example, Inc or Key Example Company."
   }
]

An object containing the individual template-level template policy settings. Template policies defined on a template apply to enrollments made with that template only. Template-level policies, if defined, take precedence over system-wide template policies. For more information about system-wide template policies, see GET Templates Settings. Show template policy details.

Value	Description
TempalteId	The Keyfactor Command reference ID of the certificate template the policy is associated with.
RSAValidKeySizes	An object containing a comma-delimited list of integers defining the valid RSA key sizes supported for all templates used for enrollment. The supported values are: 2048 4096
ECCValidCurves	An object containing a list of strings defining the valid elliptic curve algorithms for ECC Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers. templates. These may be specified using the well-known OIDs for ECC algorithms or by friendly name. Well-known OIDs include: 1.2.840.10045.3.1.7 = P-256/prime256v1/secp256r1 1.3.132.0.34 = P-384/secp384r1 1.3.132.0.35 = P-521/secp521r1 When specifying by friendly name, do not include a slash (use "P-256", not "P-256/prime256v1/secp256r1").
AllowKeyReuse	A Boolean that indicates whether private key reuse is allowed (true) or not (false). This option applies to certificate renewals. By default, this is set to true at a system-wide level.
AllowWildcards	A Boolean that indicates whether wildcards are allowed (true) or not (false). By default, this is set to true at a system-wide level.
RFCEnforcement	A Boolean that indicates whether RFC 2818 compliance enforcement is enabled (true) or not (false). When this option is set to true, certificate enrollments made through Keyfactor Command for this template must include at least one DNS SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.. In the Keyfactor Command Management Portal, this causes the CN entered in PFX enrollment to automatically be replicated as a SAN, which the user can either change or accept. For CSR enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate if this is set. By default, this is set to false at a system-wide level.
AllowEd448	A Boolean that indicates whether Ed448 key type is allowed (true) or not (false).
AllowEd25519	A Boolean that indicates whether Ed25519 key type is allowed (true) or not (false).

For example:

"TemplatePolicy": {
   "TemplateId": 17,
   "RSAValidKeySizes": [
      2048,
      4096
   ],
   "ECCValidCurves": [
      "1.2.840.10045.3.1.7",
      "1.3.132.0.34"
      "1.3.132.0.35"
   ],
   "AllowKeyReuse": false,
   "AllowWildcards": true,
   "RFCEnforcement": true,
   "AllowEd448": false,
   "AllowEd25519": false
}

An object containing the list of Keyfactor Command security roles—as strings—that have been granted enroll permission on the template.

For example:

"AllowedRequesters": [
   "Administrator",
   "Power Users",
   "Revokers"
]

An integer indicating the total key usage of the certificate. Key usage is stored in Active Directory as a single value made of a combination of values. Show value details.

Value	Function	Description
0	None	No key usage parameters.
1	Encipherment Only	The key can be used for encryption only.
2	CRL A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. Signing	The key can be used to sign a certificate revocation list A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. (CRL).
4	Key Certificate Signing	The key can be used to sign certificates.
8	Key Agreement	The key can be used to determine key agreement, such as a key created using the Diffie-Hellman key agreement algorithm.
16	Data Encipherment	The key can be used for data encryption.
32	Key Encipherment	The key can be used for key encryption.
64	Nonrepudiation	The key can be used for authentication.
128	Digital Signature	The key can be used as a digital signature.
32768	Decipherment Only	The key can be used for decryption only.

For example, a value of 160 would represent a key usage of digital signature with key encipherment. A value of 224 would add nonrepudiation to those.

An object containing custom enrollment fields. These are configured on a per-template basis to allow you to submit custom fields with CSR enrollments and PFX enrollments to supply custom request attributes to the CA during the enrollment process. This functionality offers such benefits as:

• Preventing users from requesting invalid certificates, based on your specific certificate requirements per template.
• Providing additional information to the CA with the CSR.

Once created on the template, these values are shown in Keyfactor Command on the PFX and CSR enrollment pages in the Additional Enrollment Fields section. The fields are mandatory during enrollment. The data will appear on the CA / Issued Certificates attribute tab for certificates enrolled with a template configured with Keyfactor Command enrollment fields.

Show enrollment field details.

An integer indicating the type of enrollment allowed for the certificate template. Setting these options causes the template to appear in dropdowns in the corresponding section of the Management Portal. In the case of CSR Enrollment and PFX Enrollment, the templates only appear in dropdowns on the enrollment pages if they are available for enrollment from a CA also configured for enrollment within Keyfactor Command. See Adding or Modifying a CA Record in the Keyfactor Command Reference Guide for more information. Show allowed enrollment type details.

An object containing individual template-level template default settings. Template defaults defined on a template apply to enrollments made with that template only. Template-level defaults, if defined, take precedence over system-wide template defaults. For more information about system-wide template defaults, see GET Templates Settings. Show template default details.

An integer indicating the total key usage of the certificate. Key usage is stored in Active Directory as a single value made of a combination of values. Show value details.

For example, a value of 160 would represent a key usage of digital signature with key encipherment. A value of 224 would add nonrepudiation to those.