POST Workflow Definitions

A string indicating the type of step. The currently supported types are:

• Email

  Send an email message. This is a separate email message from those typically sent as part of a Require Approval step. You might send an email message as part of an enrollment request to notify approvers that a new request needs approval. The email messages can be customized to provide detailed information about, for example, the certificate request.

• PowerShell

  Run PowerShell commands within the confines of the workflow to populate variables with information to pass back to the workflow. The PowerShell script contents are embedded within the step. This step does not call out to an external file. This provides a high level of security by greatly limiting the number of standard PowerShell cmdlets that can be executed by the workflow step. A small number of PowerShell cmdlets have been white listed to allow them to be included in workflow steps of this type, including:

  • Where-Object
  • ForEach-Object

  • Get-Command

• CustomPowerShell

  Run a PowerShell script. The script contents are in a file placed in the ExtensionLibrary\Workflow directory or a subdirectory of it on the Keyfactor Command server under the install directory for Keyfactor Command. By default, this is:

  C:\Program Files\Keyfactor\Keyfactor Platform\ExtensionLibrary\Workflow

  The file must have an extension of .ps1. A sample PowerShell script is provided in the Workflow directory (CustomPowershellExample.ps1).

• RequireApproval

  Require approval for a workflow step before the step can be completed. The require approval step can require approval from just one approver or multiple approvers. The workflow will be suspended at this point until the correct number of approvals from users with the correct security roles is received or until one deny is received before continuing to the next step. As part of this step, an email message is sent indicating whether the step was approved or denied—typically to the requester. This step does not include logic to send an email initiating the approval process (letting users know something needs approval). Use an Email type step for this.

  Important:  Workflows are not supported with CA delegation when they contain steps that require approval. For more information, see the CA configuration Authorization Methods Tab in the Keyfactor Command Reference Guide.
  Note:  The users that you send email to initiating the approval process must be members of a security role that is allowed to submit signals (approve/deny) for the workflow in order to approve or deny the request.
  Tip:  The workflow builder does not include a step to send a notification to the requester of a certificate on an enrollment once the certificate is issued by the CA (as opposed to approved in Keyfactor Command). Use the issued alerts for this (see Issued Request Alert Operations in the Keyfactor Command Reference Guide).

• RESTRequest

  Run a REST (API) request. The REST request contents are embedded within the step. It does not call out to an external file.

• EnrollmentAgent (Enrollment Only)

  On an enrollment (either CSR or PFX), create a resigned CSR to prepare an updated enrollment request for delivery to a Microsoft CA after a previous step in the workflow has been used to update either the SANs in the initial request, subject (DN) in the initial request or both. This step must be placed later in the workflow than the step(s) to modify the SANs and/or subject. The SANs and subject may be modified with either of the PowerShell step types or a custom step type. The step creates a new CSR using the same public key as the original CSR using the updated SAN and/or subject values. It signs the new CSR with the certificate provided in the step's configuration.

  For this type of step you will need an enrollment agent certificate available as a PKCS#12 (.PFX) file with included private key to import into Keyfactor Command. This can be a user certificate or a computer certificate (e.g. generated from a copy of the Enrollment Agent template or the Enrollment Agent (Computer) template) and must have a Certificate Request Agent EKU. Note that the built-in Enrollment Agent and Enrollment Agent (Computer) templates do not allow private keys to be exported by default. You will need a template that allows private key export or will need to manually override private key export to create a certificate with an exportable private key in order to create a PKCS#12 (.PFX) file.

  Important:  This step applies to Microsoft CAs only. If this step is added to workflow for requests directed to an EJBCA CA, it will fail on enrollment. Note that EJBCA supports submission of updated SAN or subject details as part of standard functionality.

• SubjectFormatter (Enrollment Only)

  On an enrollment done through the Keyfactor Windows Enrollment Gateway using a client-side template configured with the Build from this Active Directory information option on the template, this workflow step handles formatting the incoming subject, SANs, and/or SID in the certificate request appropriately such that the enrollment will complete successfully with the target CA and Keyfactor Command template, which is not configured to build from AD. Any Keyfactor Windows Enrollment Gateway using a client-side template configured with the subject as Build from this Active Directory information must be configured with a workflow step of this type on the Keyfactor Command template that has been mapped in the gateway to that template in order to complete an enrollment through the gateway. There are no configuration parameters for the step.

  Important:  The template in Keyfactor Command that is mapped to the client-side template configured to build the subject from Active Directory also needs to be configured with three enrollment fields to support handling the incoming subject, SANs, and/or SID. For more information about configuring this, see the Keyfactor Windows Enrollment Gateway Installation and Configuration Guide.

• EnrollStep

  Enroll for a certificate through Keyfactor Command. The enroll step must always fall as the last step in the workflow, immediately following the EndNOOP step.

• NOOPStep

  An entry or exit step in which no operation occurs. Steps of this type indicate the start and end of the workflow.

• RevokeStep

  Revoke a certificate through Keyfactor Command. The revoke step must always fall as the last step in the workflow, immediately following the EndNOOP step.

An array containing the configuration parameters for the workflow definition step. These will vary depending on the type of workflow and the type of step (see ExtensionName). Show CustomPowerShell, Email, EnrollmentAgent, PowerShell, RequireApproval, or RestRequest parameter details.

{
   "SecretValue": "MySuperSecretPassword$123"
}

{
   "Provider": "1",
   "Parameters":{
      "Folder":"MyFolderName",
      "Object":"MyWorkflowCertPassword"
   }
}

{
   "Provider": "1",
   "Parameters":{
      "SecretId":"MyCertPasswordId"
   }
}

"Headers": {
   "x-keyfactor-requested-with": [
      "APIClient"
   ],
   "x-keyfactor-api-version": [
      "2"
   ]
}

{
   "SecretValue": "KEYEXAMPLE\svc_MyServiceName"
}

{
   "Provider": "1",
   "Parameters":{
      "Folder":"MyFolderName",
      "Object":"MyWorkflowUsername"
   }
}

{
   "Provider": "1",
   "Parameters":{
      "SecretId":"MyUsernameId"
   }
}

{
   "Id": "$(certid)",
   "Metadata":{
      "RevocationComment": "$(cmnt)"
   }
}

An object containing conditions indicating whether the step should run (true) or not (false). Conditions may either have a static value of True or False or a token that will have a value of True or False at the time the step is run. More than one condition may be added. If multiple conditions are used in the same step, all conditions must have a value of True at the time the step is evaluated to be run in order for the step to run. If any single condition evaluates to False, the step will not run. Show condition details.