POST Certificate Stores

Documentation Suite v10.3

The POST /CertificateStores method is used to create new certificate stores in Keyfactor Command. This method returns HTTP 200 OK on a success with details about the certificate store created.

Tip: The following permissions (see Security Overview) are required to use this feature:

CertificateStoreManagement: Modify

Permissions for certificate stores can be set at either the global or certificate store container level. See Container Permissions in the Keyfactor Command Reference Guide for more information about global vs container permissions.

Table 255: POST Certificate Stores Input Parameters

Name

Description

ContainerId

Body

An integer indicating the ID of the certificate store's associated certificate store container, if applicable (see GET Certificate Store Containers).

ClientMachine

Body

Required. The string value of the client machine. The value for this will vary depending on the certificate store type. For example, for a Java keystore or an F5 device, it is the hostname

The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername). of the machine on which the store is located, but for an Amazon Web Services store, it is the FQDN of the Keyfactor Command Windows Orchestrator

The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location.. See Adding or Modifying a Certificate Store in the Keyfactor Command Reference Guide for more information.

Storepath

Body

Required. A string indicating the path to the certificate store on the target. The format for this path will vary depending on the certificate store type. For example, for a Java keystore, this will be a file path (e.g. /opt/myapp/store.jks), but for an F5 device, this will be a partition name on the device (e.g. Common). See Adding or Modifying a Certificate Store in the Keyfactor Command Reference Guide for more information. The maximum number of characters supported in this field is 722.

CertStoreInventoryJobId

Body

A string indicating the GUID that identifies the inventory job for the certificate store in the Keyfactor Command database. This will be null if an inventory schedule is not set for the certificate store.

CertStoreType

Body

Required. An integer indicating the ID of the certificate store type, as defined in Keyfactor Command, for this certificate store. (0-Javakeystore,2-PEMFile, 3-F5SSLProfiles,4-IISRoots, 5-NetScaler, 6-IISPersonal, 7-F5WebServer, 8-IISRevoked, 9-F5WebServerREST, 10-F5SSLProfilesREST, 11-F5CABundlesREST, 100-AmazonWebServices, 101-FileTransferProtocol)

Approved

Body

A Boolean that indicates whether a certificate store is approved (true) or not (false). If a certificate store is approved, it can be used and updated. A certificate store that has been discovered using the discover feature but not yet marked as approved will be false here. The default for new stores created with this method is true.

CreateIfMissing

Body

A Boolean that indicates whether a new certificate store should be created with the information provided (true) or not (false). This option is only valid for Java keystores and any custom certificate store types you have defined to support this functionality. The default is false.

Properties

Body

Required. Some types of certificate stores have additional properties that are stored in this parameter A parameter or argument is a value that is passed into a function in an application.. The data is stored in a series of, typically, key value pairs that define the property name and value (see GET Certificate Store Types for more information).

As of Keyfactor Command v10, this parameter is used to store certificate store server usernames, server passwords, and the UseSSL flag. Built-in certificate stores that typically require configuration of certificate store server parameters include NetScaler and F5 stores. The legacy methods for managing certificate store server credentials have been deprecated but are retained for backwards compatiblity. For more information, see POST Certificate Stores Server.

When reading this field, the values are returned as simple key value pairs, with the values being individual values. When writing, the values are specified as objects, though they are typically single values.

For example, on a GET request for a PEM store configured with a separate private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure., the contents of this field might be:

"{
  \"privateKeyPath\":\"/opt/app/mystore.key\",
  \"separatePrivateKey\":\"true\"
}"

However, the syntax used when updating the properties sets the value as a key value pair using value as the key. For example, on a POST or PUT request for a PEM store configured with a separate private key, the contents of this field might be:

"{
  \"privateKeyPath\":{\"value\":\"/opt/app/mystore.key\"},
  \"separatePrivateKey\":{\"value\":\"true\"}
}"

An example server properties parameter POST for an FTP or NetScaler store would contain:

"{
   \"ServerUsername\":{\"value\":{\"SecretValue\":\"User_Name\"}},
   \"ServerPassword\":{\"value\":{\"SecretValue\":\"Password\"}},
   \"ServerUseSsl\":{\"value\":\"true\"}
}"

An example server properties parameter POST for an FTP or NetScaler store with the username and password stored as PAM secrets would contain (where the Provider value—1 in this example—is the Id value from GET PAM Providers):

"{
   \"ServerUsername\":{\"value\":{\"Provider\":\"1\",\"Parameters\":{\"SecretId\":\"User_Name\"}}},
   \"ServerPassword\":{\"value\":{\"Provider\":\"1\",\"Parameters\":{\"SecretId\":\"Password\"}}},
   \"ServerUseSsl\":{\"value\":\"true\"}
}"

Note: There are three standard properties that are used for any built-in certificate store types that require server credentials (e.g. F5):

ServerUsername
ServerPassword
ServerUseSsl

These replace the separate certificate store server records that existed in previous versions of Keyfactor Command. For legacy support, if credentials are not provided through store properties during creation or editing of a certificate store, Keyfactor Command will attempt to find a certificate store server record and copy the credentials from it into the store properties for future use.

Tip: Built-in stores that make use of this field include:

AWS stores use this field to store secured versions of the access key and secret.
F5 REST stores (all types) use this field to store secured versions of the server authentication information (ServerUsername, ServerPassword, ServerUseSsl) and primary node information (PrimaryNode, PrimaryNodeCheckRetryWaitSecs, PrimaryNodeCheckRetryMax) and F5 version (F5Version).
F5 SOAP stores (all types) use this field to store secured versions of the server authentication information (ServerUsername, ServerPassword, ServerUseSsl).
FTP stores use this field to store secured versions of the server authentication information (ServerUsername, ServerPassword, ServerUseSsl).
IIS stores (all types) use this field to store the UseSSL flag and the port for SMB communications.
Java keystores use this field to store type (ProviderType).
NetScaler stores use this field to store secured versions of the server authentication information (ServerUsername, ServerPassword, ServerUseSsl).
PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. stores use this field to store the path to the private key file, if defined, and the Boolean value indicating whether a separate private key path is defined.

AgentId

Body

Required. A string indicating the Keyfactor Command GUID of the orchestrator

Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. for this store.

AgentAssigned

Body

A Boolean that indicates whether there is an orchestrator assigned to this certificate store (true) or not (false). The default is true.

ContainerName

Body

A string indicating the name of the certificate store's associated container, if applicable.

InventorySchedule

Body

The inventory schedule for this certificate store. Show schedule details.

Name

Description

Off

Turn off a previously configured schedule.

Immediate

A Boolean that indicates a job scheduled to run immediately (true) or not (false).

Tip: In some instances, jobs initially scheduled as Immediate will appear on a GET as null.

Interval

A dictionary that indicates a job scheduled to run every x minutes with the specified parameter. Any interval that is selected in the UI will be converted to minutes when stored in the database.

Name	Description
Minutes	An integer indicating the number of minutes between each interval.

For example, every hour:

"Interval": {
   "Minutes": 60
}

Daily

A dictionary that indicates a job scheduled to run every day at the same time with the parameter:

Name	Description
Time	The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2021-05-19T16:23:01Z).

For example, daily at 11:30 pm:

"Daily": {
   "Time": "2022-02-25T23:30:00Z"
}

ExactlyOnce

A dictionary that indicates a job scheduled to run at the time specified with the parameter:

Name	Description
Time	The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2021-05-19T16:23:01Z).

For example, exactly once at 11:45 am:

"ExactlyOnce": {
   "Time": "2022-02-27T11:45:00Z"
}

Tip: In some instances, jobs initially scheduled as Immediate will appear on a GET as ExactlyOnce.

ReenrollmentStatus

Body

An array that indicates whether the certificate store can use the re-enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). function with accompanying data about the re-enrollment job. Show reenrollment status details.

Name	Description
Data	A Boolean that indicates whether the certificate store can use the re-enrollment function (true) or not (false).
AgentId	A string indicating the Keyfactor Command GUID of the orchestrator that can re-enroll the certificate store.
Message	A string indicating the reason the certificate store cannot re-enroll, if applicable.
JobProperties	An array of key/value pairs for the unique parameters defined for the certificate store type. The key is the name of the specific parameter from the certificate store type definition as returned in the JobProperties on the store type using the GET CertificateStoreTypes method and the value is the value that should be set for that parameter on a certificate in the certificate store. For example, for NetScaler, the key name that is optionally used to associate a certificate with a virtual server is NetscalerVserver and is returned by GET CertificateStoreTypes like so: "JobProperties": [ "NetscalerVserver" ] It can be seen in the Keyfactor Command Management Portal when editing the certificate store type in the field for Management Job Custom Fields. The setting is referenced using the following format: "JobProperties": [ {"NetscalerVserver":"MyVirtualServerName"} ] Note: The only built-in certificate store type that makes use of job properties that can be set on a certificate-by-certificate basis in the store is NetScaler. You may have custom certificate store types that make use of this functionality. This field is optional.
CustomAliasAllowed	An integer indicating the option for a custom alias for this certificate store. 0—forbidden 1—optional 2—required

SetNewPasswordAllowed

Body

A Boolean that indicates whether the store password can be changed (true) or not (false). The default is false.

Password

Body

An array indicating the source for and details of the credential information Keyfactor Command will use to access the certificates in a specific certificate store (the store password). This is different from credential information Keyfactor Command uses to access a certificate store server as a whole. The former (this setting) is typically used for Java keystores; the latter is typically used for certificates stores on NetScaler and F5 devices and set at the server level, not the certificate store level (see POST Certificate Stores Server).

Certificate stores that require credentials support up to three possible credential options:

Use no store password.
This option is supported for Java keystores that would normally require a password, but can be configured with the no password option (see Value, below).
Store the credential information in the Keyfactor secrets table.
A Keyfactor secret is a user-defined password that is encrypted and stored securely in the Keyfactor Command database.
Load the credential information from a PAM provider.
See Privileged Access Management (PAM) in the Keyfactor Command Reference Guide and PAM Providers for more information.

Show password details.

Name

Description

Value

A string—submitted as an object—indicating a password to be stored as a Keyfactor secret.

Tip: To set the no password option on a store, submit the password with a null value. For example:

"Password": {
"Value": {null}
}

To set the value to a string to be stored in the Keyfactor secrets table, include the password in quotes. For example:

"Password": {
"Value": "MyVerySecurePassword"
}

SecretTypeGuid

A string indicating the Keyfactor Command reference GUID for the type of credentials. This value is automatically set by Keyfactor Command.

InstanceId

The Keyfactor Command reference ID for the secret provider. If you are using a secret provider with an integer ID, this will be used. This value is automatically set by Keyfactor Command.

InstanceGuid

The Keyfactor Command reference GUID for the secret provider. If you are using a secret provider with a GUID ID, this will be used. This value is automatically set by Keyfactor Command.

ProviderType

ParameterValues

An array containing the values for the PAM provider types specified by ProviderTypeParams. Show PAM provider type parameter value details.

Name

Description

The Keyfactor Command reference ID for the PAM provider type parameter.

Value

The value set for the parameter (e.g. the name of the CyberArk folder where the protected object that stores the username or password resides).

InstanceId

The Keyfactor Command reference ID for the PAM provider. If you are attaching to something with an integer Id, this will be used.

InstanceGuid

The Keyfactor Command reference GUID for the PAM provider. If you are attaching to something with a GUID ID, this will be used.

Provider

An array containing information about the provider. Show PAM provider details.

Name

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider.

Name

A string indicating the internal name for the PAM provider.

Area

An integer indicating the area of Keyfactor Command the provider is used for. PAM providers generally have a value of 1, indicating they are used for certificate stores.

ProviderType

An array containing details about the provider type for the provider, including:

Name

Description

A string indicating the Keyfactor Command reference GUID for the provider type.

Name

A string that indicates the name of the provider type.

Provider

Type

Params

An array of parameters that the provider type uses for data input in Keyfactor Command when creating new PAM provider and certificate store records.

See below instance of ProviderTypeParam for details.

ProviderType

ParamValues

An array containing the values for the provider types specified by ProviderTypeParams. See the previous level of ProviderTypeParamValues for details.

SecuredAreaId

An integer indicating the Keyfactor Command reference ID for the certificate store container the PAM provider is associated with, if any.

You can create a single PAM provider for each provider type (e.g. CyberArk), however, if you have opted to organize your certificate stores into containers, you will need to create multiple providers to match your container organization structure. The container field in the PAM provider definition is not required, but if one is supplied when creating a PAM provider, the PAM provider can only be used with certificate stores in the matching container. Likewise, a PAM provider defined with no container would be available for selection when setting passwords for any certificate store that also did not specify a container. A PAM provider configured in this way could be used across a variety of certificate stores (e.g. both JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption. and F5) as long as they were not in containers.

ProviderType

Param

An array of parameters that the provider type uses for data input in Keyfactor Command when creating new PAM provider and certificate store records. Show PAM provider type parameter details.

Name

Description

An integer indicating the Keyfactor Command reference ID for the PAM provider type parameter.

Name

A string indicating the internal name for the PAM provider type parameter.

DisplayName

A string indicating the display name for the PAM provider type parameter. For parameters with an InstanceLevel of false, this name appears on the PAM provider dialog for the parameter when a user creates a new PAM provider. For parameters with an InstanceLevel of true, this name appears on the Server dialog for the parameter when a user creates a new PAM provider.

DataType

An integer indicating the data type for the parameter. Possible values are:

1 = String
2 = Secret

InstanceLevel

A Boolean that sets whether the parameter is used to define the underlying PAM provider (false) or a field that needs to be set to a value when configuring a certificate store to use the PAM provider (true).

For an example, see GET PAM Providers.

ProviderType

An array containing details for the provider type.

Name	Description
Id	A string indicating the Keyfactor Command reference GUID for the PAM provider type parameter.
Name	A string indicating the internal name for the PAM provider type parameter.
ProviderTypeParams	Unused field

ProviderId

An integer indicating the Keyfactor Command reference ID for the PAM provider.

IsManaged

A Boolean indicating whether the credentials for the store are managed by a PAM provider (true) or stored in the Keyfactor secrets table (false). This value is automatically set by Keyfactor Command.

Table 256: POST Certificate Stores Response Data

Name

Description

A string indicating the GUID of the certificate store within Keyfactor Command. This ID is automatically set by Keyfactor Command.

ContainerId

An integer indicating the ID of the certificate store's associated certificate store container, if applicable (see GET Certificate Store Containers).

ClientMachine

The string value of the client machine. The value for this will vary depending on the certificate store type. For example, for a Java keystore or an F5 device, it is the hostname of the machine on which the store is located, but for an Amazon Web Services store, it is the FQDN of the Keyfactor Command Windows Orchestrator. See Adding or Modifying a Certificate Store in the Keyfactor Command Reference Guide for more information.

Storepath

A string indicating the path to the certificate store on the target. The format for this path will vary depending on the certificate store type. For example, for a Java keystore, this will be a file path (e.g. /opt/myapp/store.jks), but for an F5 device, this will be a partition name on the device (e.g. Common). See Adding or Modifying a Certificate Store in the Keyfactor Command Reference Guide for more information. The maximum number of characters supported in this field is 722.

CertStoreInventoryJobId

CertStoreType

An integer indicating the ID of the certificate store type, as defined in Keyfactor Command, for this certificate store. (0-Javakeystore,2-PEMFile, 3-F5SSLProfiles,4-IISRoots, 5-NetScaler, 6-IISPersonal, 7-F5WebServer, 8-IISRevoked, 9-F5WebServerREST, 10-F5SSLProfilesREST, 11-F5CABundlesREST, 100-AmazonWebServices, 101-FileTransferProtocol)

Approved

CreateIfMissing

Properties

Some types of certificate stores have additional properties that are stored in this parameter. The data is stored in a series of, typically, key value pairs that define the property name and value (see GET Certificate Store Types for more information).

For example, on a GET request for a PEM store configured with a separate private key, the contents of this field might be:

"{
  \"privateKeyPath\":\"/opt/app/mystore.key\",
  \"separatePrivateKey\":\"true\"
}"

"{
  \"privateKeyPath\":{\"value\":\"/opt/app/mystore.key\"},
  \"separatePrivateKey\":{\"value\":\"true\"}
}"

An example server properties parameter POST for an FTP or NetScaler store would contain:

"{
   \"ServerUsername\":{\"value\":{\"SecretValue\":\"User_Name\"}},
   \"ServerPassword\":{\"value\":{\"SecretValue\":\"Password\"}},
   \"ServerUseSsl\":{\"value\":\"true\"}
}"

"{
   \"ServerUsername\":{\"value\":{\"Provider\":\"1\",\"Parameters\":{\"SecretId\":\"User_Name\"}}},
   \"ServerPassword\":{\"value\":{\"Provider\":\"1\",\"Parameters\":{\"SecretId\":\"Password\"}}},
   \"ServerUseSsl\":{\"value\":\"true\"}
}"

Note: There are three standard properties that are used for any built-in certificate store types that require server credentials (e.g. F5):

ServerUsername
ServerPassword
ServerUseSsl

Tip: Built-in stores that make use of this field include:

AWS stores use this field to store secured versions of the access key and secret.
F5 REST stores (all types) use this field to store secured versions of the server authentication information (ServerUsername, ServerPassword, ServerUseSsl) and primary node information (PrimaryNode, PrimaryNodeCheckRetryWaitSecs, PrimaryNodeCheckRetryMax) and F5 version (F5Version).
F5 SOAP stores (all types) use this field to store secured versions of the server authentication information (ServerUsername, ServerPassword, ServerUseSsl).
FTP stores use this field to store secured versions of the server authentication information (ServerUsername, ServerPassword, ServerUseSsl).
IIS stores (all types) use this field to store the UseSSL flag and the port for SMB communications.
Java keystores use this field to store type (ProviderType).
NetScaler stores use this field to store secured versions of the server authentication information (ServerUsername, ServerPassword, ServerUseSsl).
PEM stores use this field to store the path to the private key file, if defined, and the Boolean value indicating whether a separate private key path is defined.

AgentId

A string indicating the Keyfactor Command GUID of the orchestrator for this store.

AgentAssigned

A Boolean that indicates whether there is an orchestrator assigned to this certificate store (true) or not (false).

ContainerName

A string indicating the name of the certificate store's associated container, if applicable.

InventorySchedule

The inventory schedule for this certificate store. Show schedule details.

Name

Description

Off

Turn off a previously configured schedule.

Immediate

A Boolean that indicates a job scheduled to run immediately (true) or not (false).

Tip: In some instances, jobs initially scheduled as Immediate will appear on a GET as null.

Interval

A dictionary that indicates a job scheduled to run every x minutes with the specified parameter. Any interval that is selected in the UI will be converted to minutes when stored in the database.

Name	Description
Minutes	An integer indicating the number of minutes between each interval.

For example, every hour:

"Interval": {
   "Minutes": 60
}

Daily

A dictionary that indicates a job scheduled to run every day at the same time with the parameter:

Name	Description
Time	The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2021-05-19T16:23:01Z).

For example, daily at 11:30 pm:

"Daily": {
   "Time": "2022-02-25T23:30:00Z"
}

ExactlyOnce

A dictionary that indicates a job scheduled to run at the time specified with the parameter:

Name	Description
Time	The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format YYYY-MM-DDTHH:mm:ss.000Z (e.g. 2021-05-19T16:23:01Z).

For example, exactly once at 11:45 am:

"ExactlyOnce": {
   "Time": "2022-02-27T11:45:00Z"
}

Tip: In some instances, jobs initially scheduled as Immediate will appear on a GET as ExactlyOnce.

ReenrollmentStatus

An array that indicates whether the certificate store can use the re-enrollment function with accompanying data about the re-enrollment job. Show reenrollment status details.

Name	Description
Data	A Boolean that indicates whether the certificate store can use the re-enrollment function (true) or not (false).
AgentId	A string indicating the Keyfactor Command GUID of the orchestrator that can re-enroll the certificate store.
Message	A string indicating the reason the certificate store cannot re-enroll, if applicable.
JobProperties	An array of key/value pairs for the unique parameters defined for the certificate store type. The key is the name of the specific parameter from the certificate store type definition as returned in the JobProperties on the store type using the GET CertificateStoreTypes method and the value is the value that should be set for that parameter on a certificate in the certificate store. For example, for NetScaler, the key name that is optionally used to associate a certificate with a virtual server is NetscalerVserver and is returned by GET CertificateStoreTypes like so: "JobProperties": [ "NetscalerVserver" ] It can be seen in the Keyfactor Command Management Portal when editing the certificate store type in the field for Management Job Custom Fields. The setting is referenced using the following format: "JobProperties": [ {"NetscalerVserver":"MyVirtualServerName"} ] Note: The only built-in certificate store type that makes use of job properties that can be set on a certificate-by-certificate basis in the store is NetScaler. You may have custom certificate store types that make use of this functionality. This field is optional.
CustomAliasAllowed	An integer indicating the option for a custom alias for this certificate store. 0—forbidden 1—optional 2—required

SetNewPasswordAllowed

A Boolean that indicates whether the store password can be changed (true) or not (false).

Password

Note: Secret data is stored in the secrets table or a PAM provider and is not returned in responses.

Tip: For code examples, see the Keyfactor API Endpoint Utility. To find the embedded web copy of this utility, click the help icon (

) at the top of the Keyfactor Command Management Portal page next to the Log Out button.

POST Certificate Stores

Products

Solutions

Resources

Company