GET Templates Settings

Documentation Suite v10.5

The GET /Templates/Settings method is used to retrieve the global template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. policy settings Keyfactor Command. This method returns HTTP 200 OK on a success with details about the global template policy settings.

Tip: Template policies may also be set at an individual template level to apply to a single template (see PUT Templates). Template policies set at the individual template level take precedence over template policies set at the global level.

Tip: The following permissions (see Security Overview) are required to use this feature:

PkiManagement: Read

There are no input parameters for this method.

Table 613: GET Templates Settings Response Data

Value

Description

TemplateRegexes

An object containing the system-wide template regular expression settings. These apply to all enrollments that are not otherwise overridden by individual template settings, including those that do not use a template (e.g. from a standalone CA). Show regular expression details.

Name

Description

SubjectPart

A string indicating the portion of the subject the regular expression applies to (e.g. CN).

RegEx

A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment pages of the Keyfactor Command Management Portal or using an API enrollment method will be validated.

Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts.

Show regular expression examples.

Subject Part	Example
CN (Common Name)	This regular expression specifies that the data entered in the field must consist of some number of characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly .keyexample.com: ^[a-zA-Z0-9'_\.\-]*\.keyexample\.com$ The default value for the Common Name regular expression is: .+ This requires entry of at least one character in the Common Name field in the enrollment pages.
O (Organization)	This regular expression requires that the organization name entered in the field be one of “Key Example Inc”, “Key Example” or “Key Example Inc.”: ^(?:Key Example Inc\|Key Example\|Key Example, Inc\.)$ The period in the final company name (Key Example, Inc.) needs to be escaped in the regular expression with a slash ("\") but the comma does not.
OU (Organization Unit)	This regular expression requires that the organizational unit entered in the field be one of these four departments: ^(?:IT\|HR\|Accounting\|E-Commerce)$
L (City/Locality)	This regular expression requires that the city entered in the field be one of these five cities: ^(?:Boston\|Chicago\|New York\|London\|Dallas)$
ST (State/Province)	This regular expression requires that the state entered in the field be one of these eight states: ^(?:Massachusetts\|Illinois\|New York\|Ontario\|Texas)$
C (Country)	This regular expression requires that the country entered in the field be either US or CA: ^(?:US\|CA)$
E (Email)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly “@keyexample.com”: ^[a-zA-Z0-9'_\.\-]*@keyexample\.com$
DNS (Subject Alternative Name: DNS Name)	This regular expression specifies that the data entered in the field must consist of some number of characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly either “.keyexample1.com” or “.keyexample2.com”: ^[a-zA-Z0-9'_\.\-]*\.(?:keyexample1\.com\|keyexample2\.com)$
IPv4 (Subject Alternative Name: IPv4 Address)	This regular expression specifies that the data entered in the field must be exactly “130.101.” followed by anywhere between 1 and 3 numbers followed by exactly “.” followed by anywhere between 1 and 3 numbers: ^130\.101\.(?:[0-9]{1,3})\.(?:[0-9]{1,3})$ This regular expression specifies only that the IPv4 address is made up of 4 sets of between 1 and 3 numbers separated by periods: ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$
IPv6 (Subject Alternative Name: IPv6 Address)	This regular expression specifies that the data entered in the field must be made up of eight sets of between one and four numbers and/or uppercase letters separated by colons: ^(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}$
MAIL (Subject Alternative Name: Email)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly “@keyexample.com”: ^[a-zA-Z0-9'_\.\-]*@keyexample\.com$
UPN (Subject Alternative Name: User Principal Name)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly “@keyexample.com”: ^[a-zA-Z0-9'_\.\-]*@keyexample\.com$

Error

A string specifying the error message displayed to the user when the subject part referenced in the CSR or entered for a PFX enrollment does not match the given regular expression. Note that the error message already includes a leading string with the subject part (e.g. “Common Name:” or “Invalid CN provided:” depending on the interface used). Your custom message follows this.

For example:

"TemplateRegexes": [
   {
      "SubjectPart": "O",
      "Regex": "^(?:Key Example Company|Key Example\, Inc\.)$",
      "Error": "Organization must be Key Example, Inc or Key Example Company."
   }
]

TemplateDefaults

An object containing the system-wide template default settings. These apply to all enrollments that are not otherwise overridden by individual template settings, including those that do not use a template (e.g. from a standalone CA). Show template default details.

For example:

"TemplateDefaults": [
   {
      "SubjectPart": "L",
      "Value": "Denver"
   },
   {
      "SubjectPart": "ST",
      "Value": "Colorado"
   }
]

Note: See also the Subject Format application setting, which takes precedence over enrollment defaults at both the system-wide and template level (see Application Settings: Enrollment Tab in the Keyfactor Command Reference Guide) but does not apply to enrollment requests done through the Keyfactor API.

TemplatePolicy

An array containing the system-wide template policy settings. These apply to all enrollments that are not otherwise overridden by individual template settings, including those that do not use a template (e.g. from a standalone CA). Show template policy details.

Value	Description
RSAValidKeySizes	An object containing a comma-delimited list of integers defining the valid RSA key sizes supported for all templates used for enrollment. The supported values are: 2048 4096
ECCValidCurves	An object containing a list of strings defining the valid elliptic curve algorithms for ECC templates. These may be specified using the well-known OIDs for ECC algorithms or by friendly name. Well-known OIDs include: 1.2.840.10045.3.1.7 = P-256/prime256v1/secp256r1 1.3.132.0.34 = P-384/secp384r1 1.3.132.0.35 = P-521/secp521r1 When specifying by friendly name, do not include a slash (use “P-256”, not “P-256/prime256v1/secp256r1”).
AllowKeyReuse	A Boolean that indicates whether private key reuse is allowed (true) or not (false). This option allows to certificate renewals.
AllowWildcards	A Boolean that indicates whether wildcards are allowed (true) or not (false).
RFCEnforcement	A Boolean that indicates whether RFC 2818 compliance enforcement is enabled (true) or not (false). When this option is set to true, certificate enrollments made through Keyfactor Command for this template must include at least one DNS SAN. In the Keyfactor Command Management Portal, this causes the CN entered in PFX enrollment to automatically be replicated as a SAN, which the user can either change or accept. For CSR enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate if this is set.
AllowEd448	A Boolean that indicates whether Ed448 key type is allowed (true) or not (false).
AllowEd25519	A Boolean that indicates whether Ed25519 key type is allowed (true) or not (false).

For example:

"TemplatePolicy": {
   "RSAValidKeySizes": [
      2048,
      4096
   ],
   "ECCValidCurves": [
      "1.2.840.10045.3.1.7",
      "1.3.132.0.34"
      "1.3.132.0.35"
   ],
   "AllowKeyReuse": false,
   "AllowWildcards": true,
   "RFCEnforcement": true,
   "AllowEd448": false,	
   "AllowEd25519": false													
}

Tip: For code examples, see the Keyfactor API Endpoint Utility. To find the embedded web copy of this utility, click the help icon (

) at the top of the Keyfactor Command Management Portal page next to the Log Out button.

GET Templates Settings

Products

Resources

Company