Workflow Definition Operations

The workflowClosed A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. builder in Keyfactor Command is a powerful feature that allows you to manage certificate enrollments, renewals, and revocations end-to-end. Out of the box, there are workflow builder steps to require approvals for certificate enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). and revocation requests, send email notifications, run PowerShell scripts, and run APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. requests as part of the request flow.

Workflow definition operations include:

  • Creating, editing or deleting a workflow definition

  • Publishing a workflow definition to make it active and available for use

  • Importing and exporting workflow definitions for backup, duplication and customization purposes

Tip:  There are two built-in workflow definitions—Global Enrollment Workflow and Global Revocation Workflow—that are used to manage requests which are not otherwise handled by custom workflows. These workflows can be configured with steps (see Adding or Modifying a Workflow Definition), but they cannot be deleted.

Refer to the following table for a list of the substitutable special text tokens that are available in the dropdown to customize workflow email messages.

Tip:  In addition to these tokens, any data in the current data bucket can be referenced by entering an appropriate reference string. For example, to return the CSR for an enrollment request you can use $(CSR). Refer to the CurrentStateData field in the response to the GET /Workflow/Instances/{instanceId} API method for information on all the data found in the current (as opposed to initial) data bucket (see GET Workflow Instances Instance ID in the Keyfactor Web APIs Reference Guide).

Table 15: Tokens for Workflow Definitions

Variable

Name Request Type

Description

$(approvalsignalcmnts) Workflow Approval or Denial Comment Enrollment and Revocation The comment provided when a workflow request that requires approval is approved or denied.

$(CA)

Issuing CA

Enrollment and Revocation

A string containing the Issuing CA logical nameClosed The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two). and hostnameClosed The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername)..

$(certid)

Request ID

Revocation

The request ID for the certificate as stored in the Keyfactor Command database. This is not the same as the request ID issued by the CA.

$(cmnt) Revocation Comment Revocation The comment entered at revocation time to explain the revocation.
$(c0de) Revocation Reason Revocation The reason selected at revocation time to explain the revocation.
$(cn) Common Name Revocation The certificate common name.
$(dn) Distinguished Name Revocation The certificate distinguished name.
$(effdate) Revocation Effective Date Revocation Date on which the revocation becomes effective.
$(issuerdn) Issuer DN Revocation The distinguished name of the issuer of the certificate.
$(keysize) Key SizeClosed The key size or key length is the number of bits in a key used by a cryptographic algorithm. Revocation The key size of the certificate.
$(keytype) Key TypeClosed The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519). Revocation The key type of the certificate.
$(locations) Certificate Store Locations Enrollment and Revocation The certificate store locations to which the certificate will be deployed following enrollment, for enrollment requests, or in which the certificate is found, for revocation requests.
$(request:cn) Requested Common Name Enrollment The common name contained in the certificate request.
$(request:dn) Requested Distinguished Name Enrollment The distinguished name contained in the certificate request.
$(request:keysize) Request Key Size Enrollment The key size contained in the certificate request.
$(request:keytype) Request Key Type Enrollment The key type contained in the certificate request.

$(requester)

Requester

Enrollment and Revocation

The user account that requested the certificate from the CA, in the form "DOMAIN\username".

$(requester:mail)

Requester’s Email

Enrollment and Revocation

The email address retrieved from Active Directory of the user account that requested the certificate from the CA, if present.

$(requester:givenname)

Requester’s First Name

Enrollment and Revocation

The first name retrieved from Active Directory of the user account that requested the certificate from the CA, if present.

$(requester:sn)

Requester’s Last Name

Enrollment and Revocation

The last name retrieved from Active Directory of the user account that requested the certificate from the CA, if present.

$(requester:displayname)

Requester's Display Name

Enrollment and Revocation

The display name retrieved from Active Directory of the user account that requested the certificate from the CA, if present.

$(reviewlink) Review Link Enrollment and Revocation

Link pointing to the review page in the Management Portal for the workflow instance where the person responsible for providing signal input (e.g. approving the request) can go to review the request and provide the input.

Note:  This option is only useful in workflows that contain a step that requires signal input (e.g. requires approval).

$(sans)

Subject Alternative Names

Enrollment

Subject alternative nameClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.(s) contained in the certificate request. There are four possible sources for the SANs that appear here:

  • For CSR enrollment, the original SANs included in the CSR.
  • Any SANs added through the Keyfactor Command Management Portal. For CSR enrollment, these take the place of the SANs in the CSR if the ATTRIBUTESUBJECTALTNAME2 option is enabled on the CA. See CSR Enrollment.
  • A SAN matching the CN added automatically during enrollment as a result of setting the RFC 2818 compliance flag in the CA configuration. See Adding or Modifying a CA Record. For PFX enrollment, the user has the option of editing this entry at enrollment time; entry of something is required.
  • A SAN matching the CN added automatically by the Keyfactor Command policy module on the CA if the Keyfactor Command RFC 2818 Policy Handler is enabled, if one was not included in the CSR or added manually. See Installing the Keyfactor CA Policy Module Handlers in the Keyfactor Command Server Installation Guide.
$(serial) Serial Numer Revocation Certificate serial number.

$(subdate)

Submission Date

Enrollment and Revocation

Date the workflow was initiated.

$(template)

Template Name

Enrollment

The short name (often the name with no spaces) of the certificate template used to create the certificate request.

$(thumbprint) Thumbprint Revocation Thumbprint of the certificate.

$(metadata:Email-Contact)

Email-Contact

Enrollment and Revocation

Example of a custom metadata field.