| Templates |
An array containing the templates available for enrollment by the user.  Show template details.
| Id |
An integer indicating the Keyfactor Command reference ID of the certificate template. |
| Name |
A string containing the common name (short name) of the template. This name typically does not contain spaces. For a template created using a Microsoft management tool, this will be the Microsoft template name. |
| DisplayName |
A string containing the common name (short name) of the template. This name typically does not contain spaces. For a template created using a Microsoft management tool, this will be the Microsoft template name. |
| Forest |
A string containing the name of the configuration tenant the template is associated with. |
| KeySize |
A string indicating the minimum supported key size of the template. |
| RequiresApproval |
A Boolean indicating whether the template has been configured with the Microsoft CA certificate manager approval option enabled (true) or not (false). |
| RFCEnforcement |
A Boolean indicating whether certificate enrollments made through Keyfactor Command for this template must include at least one DNS SAN (true) or not (false). In the Keyfactor Command Management Portal, this causes the CN entered in PFX enrollment to automatically be replicated as a SAN, which the user can either change or accept. For CSR enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate if this is set. By default, this is set to false at a system-wide level and may be overridden on a template-by-template basis. |
| CAs |
An array of certificate authorities from which the template is available for enrollment, that are configured for enrollment in Keyfactor Command, and on which the requesting user has enrollment permissions. Show CA details.
| Name |
The full name of the CA, made up of the DNS hostname of the certificate authority (e.g. corpca01.keyexample.com) and the logical name (e.g. CorpIssuingCA1) for a full name similar to corpca01.keyexample.com\\CorpIssuingCA1. |
| RFCEnforcement |
A Boolean that sets whether certificate enrollments made through Keyfactor Command for this CA must include at least one DNS SAN (true) or not (false). In the Keyfactor Command Management Portal, this causes the CN entered in PFX enrollment to automatically be replicated as a SAN, which the user can either change or accept. For CSR enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate if this is set. This setting at the CA level applies only to standalone CAs. For CAs that use templates, this setting is controlled at the template level and is ignored at the CA level. |
| SubscriberTerms |
A Boolean that sets whether to add a checkbox on the enrollment pages to force users to agree to a custom set of terms before enrolling (true) or not (false).Tip: Configure a link to the custom terms using the URL to Subscriber Terms application setting. See Application Settings: Enrollment Tab in the Keyfactor Command Reference Guide for more information. |
|
| EnrollmentFields |
An object containing custom enrollment fields. These are configured on a per-template basis to allow you to submit custom fields with CSR enrollments and PFX enrollments to supply custom request attributes to the CA during the enrollment process. This functionality offers such benefits as:
- Preventing users from requesting invalid certificates, based on your specific certificate requirements per template.
- Providing additional information to the CA with the CSR.
Once created on the template, these values are shown in Keyfactor Command on the PFX and CSR enrollment pages in the Additional Enrollment Fields section. The fields are mandatory during enrollment. The data will appear on the CA / Issued Certificates attribute tab for certificates enrolled with a template configured with Keyfactor Command enrollment fields.
Note: These are not metadata fields, so they are not stored in the Keyfactor Command database, but simply passed through to the CA. The CA in turn could, via a gateway or policy module, use this data to perform required actions.
Show enrollment field details.
| Id |
An integer indicating the ID of the custom enrollment field. |
| Name |
A string indicating the name of the custom enrollment field. This name will appear on the enrollment pages. |
| Options |
For multiple choice values, an array of strings containing the value choices. |
| DataType |
An integer indicating the parameter type. The options are:
| 1 |
String: A free-form data entry field. |
| 2 |
Multiple Choice: Provides a list of acceptable values for the field. The multiple choice values are provided in the Options parameter. |
|
For example: "EnrollmentFields": [
{
"Id": 3,
"Name": "MyCustomField",
"Options": ["Green","Red","Yellow","Blue"],
"DataType": 2
}
]
|
| MetadataFields |
An object containing template-level metadata field settings. Template-level metadata field configurations can override global metadata field configurations in these possible ways:
-
Configuration on the metadata field of required, optional or hidden.
-
The default value for the metadata field.
-
A regular expression defined for the field (string fields only) against which entered data will be validated along with its associated message.
-
For fields of data type multiple choice, the list of values that appear in multiple choice dropdowns.
Metadata field settings defined on a template apply to enrollments made with that template only. Template-level metadata field settings, if defined, take precedence over global-level metadata field settings.
Show metadata field details.
| Id |
The Keyfactor Command reference ID of the template-specific metadata setting. |
| DefaultValue |
A string containing the default value defined for the metadata field for the specific template. |
| MetadataId |
An integer indicating the global metadata field associated with the template-specific settings. |
| Validation |
A string containing the template-specific regular expression against which data entered in a string field will be validated. When a user enters information in a metadata field that does not match the specified regular expression, he or she will see the warning message specified in the Message field. For example: ^[a-zA-Z0-9'_\.\-]*@(keyexample\.org|keyexample\.com)$ This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly either “@keyexample.org” or “keyexample.com”. This field is only supported for metadata fields with data type string. |
| Enrollment |
An integer that indicates how metadata fields should be handled on the PFX and CSR Enrollment pages. Possible values are:
|
0
|
Optional Users have the option to either enter a value or not enter a value in the field. |
|
1
|
Required Users are required to enter data in the field when populating metadata fields on the PFX and CSR Enrollment pages. The field is not required on the certificate details or Add Certificate page. |
| 2 |
Hidden The field is hidden and does not appear on the PFX and CSR Enrollment pages. This field still appears on the certificate details and the Add Certificate page. |
|
| Message |
A string containing a message to present when a user enters information in a metadata field that does not match the template-specific regular expression (Validation field). |
| Options |
An array containing a comma separated list of values that should appear in the field dropdown for multiple choice fields.
This field is only supported for metadata fields with data type multiple choice.
|
For example: "MetadataFields": [
{
"Id": 4,
"DefaultValue": "reggie.wallace@keyexample.com",
"MetadataId": 4,
"Validation": "^[a-zA-Z0-9'_\\.\\-]*@(keyexample\\.org|keyexample\\.com)$",
"Enrollment": 1,
"Message": "Your email address must be of the form user@keyexample.com or fname.lname@keyexample.com."
},
{
"Id": 13,
"DefaultValue": "E-Business",
"MetadataId": 5,
"Validation": "",
"Enrollment": 0,
"Message": "",
"Options": "Accounting,E-Business,Executive,HR,IT,Marketing,R&D,Sales"
}
]
|
| Regexes |
An object containing the global template regular expression settings. These apply to all enrollments that are not otherwise overridden by individual template settings, including those that do not use a template (e.g. from a standalone CA). Show regular expression details.
| TemplateId |
The Keyfactor Command reference ID of the certificate template the regular expression is associated with. |
| SubjectPart |
A string indicating the portion of the subject the regular expression applies to (e.g. CN). |
| RegEx |
A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment pages of the Keyfactor Command Management Portal or using an API enrollment method will be validated.
Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts.
Show regular expression examples.
| CN (Common Name) |
This regular expression specifies that the data entered in the field must consist of some number of characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly .keyexample.com:
^[a-zA-Z0-9'_\.\-]*\.keyexample\.com$
The default value for the Common Name regular expression is:
.+
This requires entry of at least one character in the Common Name field in the enrollment pages.
|
| O (Organization) |
This regular expression requires that the organization name entered in the field be one of “Key Example Inc”, “Key Example” or “Key Example Inc.”:
^(?:Key Example Inc|Key Example|Key Example, Inc\.)$
The period in the final company name (Key Example, Inc.) needs to be escaped in the regular expression with a slash ("\") but the comma does not.
|
| OU (Organization Unit) |
This regular expression requires that the organizational unit entered in the field be one of these four departments:
^(?:IT|HR|Accounting|E-Commerce)$
|
| L (City/Locality) |
This regular expression requires that the city entered in the field be one of these five cities:
^(?:Boston|Chicago|New York|London|Dallas)$
|
| ST (State/Province) |
This regular expression requires that the state entered in the field be one of these eight states:
^(?:Massachusetts|Illinois|New York|Ontario|Texas)$
|
| C (Country) |
This regular expression requires that the country entered in the field be either US or CA:
^(?:US|CA)$
|
| E (Email) |
This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly “@keyexample.com”:
^[a-zA-Z0-9'_\.\-]*@keyexample\.com$
|
| DNS (Subject Alternative Name: DNS Name) |
This regular expression specifies that the data entered in the field must consist of some number of characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly either “.keyexample1.com” or “.keyexample2.com”:
^[a-zA-Z0-9'_\.\-]*\.(?:keyexample1\.com|keyexample2\.com)$
|
| IPv4 (Subject Alternative Name: IPv4 Address) |
This regular expression specifies that the data entered in the field must be exactly “130.101.” followed by anywhere between 1 and 3 numbers followed by exactly “.” followed by anywhere between 1 and 3 numbers:
^130\.101\.(?:[0-9]{1,3})\.(?:[0-9]{1,3})$
This regular expression specifies only that the IPv4 address is made up of 4 sets of between 1 and 3 numbers separated by periods:
^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$
|
| IPv6 (Subject Alternative Name: IPv6 Address) |
This regular expression specifies that the data entered in the field must be made up of eight sets of between one and four numbers and/or uppercase letters separated by colons:
^(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}$
|
| MAIL (Subject Alternative Name: Email) |
This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly “@keyexample.com”:
^[a-zA-Z0-9'_\.\-]*@keyexample\.com$
|
| UPN (Subject Alternative Name: User Principal Name) |
This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly “@keyexample.com”:
^[a-zA-Z0-9'_\.\-]*@keyexample\.com$
|
|
| Error |
A string specifying the error message displayed to the user when the subject part referenced in the CSR or entered for a PFX enrollment does not match the given regular expression. Note that the error message already includes a leading string with the subject part (e.g. “Common Name:” or “Invalid CN provided:” depending on the interface used). Your custom message follows this. |
|
| ExtendedKeyUsages |
Currently not in use.
|
| Curve |
A string indicating the OID of the elliptical curve algorithm configured for the template, for ECC templates. |
|
| StandaloneCAs |
An array containing enrollment information for standalone certificate authorities available for enrollment for the current user. Show standalone CA details.
| Name |
The full name of the CA, made up of the DNS hostname of the certificate authority (e.g. myca.keyexample.com) and the logical name (e.g. CorpStandaloneCA1) for a full name similar to myca.keyexample.com\\CorpStandaloneCA1. |
| RFCEnforcement |
A Boolean that sets whether certificate enrollments made through Keyfactor Command for this CA must include at least one DNS SAN (true) or not (false). In the Keyfactor Command Management Portal, this causes the CN entered in PFX enrollment to automatically be replicated as a SAN, which the user can either change or accept. For CSR enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate if this is set. This setting at the CA level applies only to standalone CAs. For CAs that use templates, this setting is controlled at the template level and is ignored at the CA level. |
| SubscriberTerms |
A Boolean that sets whether to add a checkbox on the enrollment pages to force users to agree to a custom set of terms before enrolling (true) or not (false).Tip: Configure a link to the custom terms using the URL to Subscriber Terms application setting. See Application Settings: Enrollment Tab in the Keyfactor Command Reference Guide for more information. |
|
) at the top of the Keyfactor Command Management Portal page next to the Log Out button.