Classic API

The Keyfactor Classic API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., also known as the CMS API, is the Web API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. that has been provided with Keyfactor Command for several product generations. The Classic API may be needed in your environment if you're upgrading and have written API applications using the Classic API. If you're new to building an API application to work with Keyfactor Command, you should use the newer Keyfactor API (see Keyfactor API).

The Classic API provides various methods to retrieve the version of Keyfactor Command. For example, values for both the Classic API version and the Keyfactor Command version are returned in HTTP headers with each response to an API call. Additionally, the Status endpoint An endpoint is a URL that enables the API to gain access to resources on a server. (see Status) provides additional information about the capabilities of the Classic API in its installed version.

Several endpoints of the Classic API have their own incremental versioning. For example, the CertEnroll endpoint has three versions, the most recent of which is three:

• CertEnroll/1
  
• CertEnroll/2
• CertEnroll/3

As the Keyfactor Web APIs have evolved and continue to evolve, an additional security constraint is available to limit access to deprecated legacy versions of API endpoints. In many cases, newer versions of an endpoint are more secure and robust, easier to use, and offer more functionality. Keyfactor highly recommends use of the newest endpoints wherever possible. To this end, it is possible to disable deprecated API endpoints in the Classic API from the API Application Settings within the Keyfactor Command Management Portal (see Application Settings: API Tab in the Keyfactor Command Reference Guide). This setting will disable the following endpoints:

• CertEnroll/1/Token1 The CertEnroll v1 endpoints are deprecated.
• CertEnroll/1/Status2 The CertEnroll v1 endpoints are deprecated.
• CertEnroll/1/Certificates/Pkcs103 The CertEnroll v1 endpoints are deprecated.
• CertEnroll/1/Certificates/Pkcs124 The CertEnroll v1 endpoints are deprecated.
• Metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates./2/Set
• Metadata/2/Get
• Metadata/2/Compare
• Certificates/1/Metafield
• Certificates/1/Import5 The Certificates/1/Import endpoint, using a multipart/form-data request, is no longer supported by Keyfactor for customers that are not currently using it.

If the Allow Deprecated API Calls setting is disabled, any client attempting to access deprecated endpoints will receive an error message instead of the expected results. This will, of course, prevent client applications that rely on these endpoints from functioning, and if these applications cannot be updated to the newer endpoints then the Allow Deprecate API Calls setting must be enabled. Otherwise, Keyfactor recommends that these endpoints be disabled to reduce exposure to unauthorized or unintended use.

The following endpoints have been removed from the Classic API and are no longer supported:

• CertEnroll/1/Templates

By default, all Classic API methods start with a base path, which corresponds to an application under IIS; this path is configurable at install time. The API component name and method name then comprise the parts of the URL, each separated by a forward slash. For example, “/CMSApi/CertEnroll/1/Token” would be the URL format for the Token method of version 1 of the CertEnroll API component in the Classic API.

Many Classic API methods operate on a certificate resource stored in Keyfactor Command, and a standardized way to identify the certificate for the operation is used in the request structure across several Classic API components; this is described in Table 668: Classic API Certificate Lookup Structure. This table does not apply to the Keyfactor API.

Table 668: Classic API Certificate Lookup Structure

Parameter Name	Parameter Value
Type	One of Serial, Thumbprint, or CMSID.
SerialNumber	Hexadecimal serial number of referenced certificate. Required only if Type is Serial.
IssuerDN	Distinguished Name of the issuer of the referenced certificate. Required only if Type is Serial.
Thumbprint	SHA-1 thumbprint of the referenced certificate. Required only if Type is Thumbprint.
CMSID	Identifier assigned by Keyfactor Command to the referenced certificate. Required only if Type is CMSID.