Many of the settings that control the behavior of Keyfactor Command features are configurable from the Applications Settings on the System setting menu. Browse to System Settings Icon 
> Application Settings. The tables below provide a brief description of these settings.
Each tab of the Applications Settings page is organized into sections—a General section and additional sections based on the functionality controlled by each tab. Click the plus (
/
) next to a section to toggle expand/collapse that section.
Depending on your Keyfactor Command license, not all application settings may be applicable in your environment.
Application Settings: Console Tab
Figure 332: Console Application Settings: General
Figure 333: Console Application Settings: Monitoring
Table 20: Console Application Settings
|
Tab |
Section |
Field |
Description |
|---|---|---|---|
|
Console |
General |
Bulk Edit Details Batch Size |
The number of certificates at a time that are read from the database when using the Edit All feature to edit certificate metadata. This setting can be adjusted if there are responsiveness issues when editing large numbers of certificates at once. The default value is 5000. |
|
Console |
General |
Bulk Edit Batch Size |
The number of certificates at a time that are saved to the database when using the Edit All feature to edit certificate metadata. This setting can be adjusted if there are responsiveness issues when editing large numbers of certificates at once. The default value is 3000. |
| Console | General | CA Sync Consecutive Error Limit | The number of errors a CA synchronization can encounter before the synchronization job stops (without running to completion). |
| Console | General | CA Sync Backward Offset Minutes |
The number of minutes to offset when determining whether a certificate requested outside of Keyfactor Command should be included in an incremental synchronization. Adjusting this value can be helpful in situations of extreme clock skew or when the EJBCA Validity Offset setting is enabled. Note: For EJBCA CAs, if the certificate profile has a Validity Offset configured to a value greater than the value configured in the CA Sync Backward Offset Minutes application setting (15 minutes by default), certificates requested outside of Keyfactor Command will not be picked up on incremental scans. These certificates will only appear in Keyfactor Command on a full synchronization. The CA Sync Backward Offset Minutes application setting should be set to the same number of minutes as the Validity Offset value, if Validity Offset is configured.
Figure 334: EJBCA Certificate Profile Validity Offset Greater than 15 Minutes |
| Console | General | CA Sync Page Size | The number of records at a time that are read from the CA during a CA synchronization job. The default value is 500.
Note: This setting applies only to EJBCA CAs. |
|
Console |
General |
Dashboard Collection Caching Interval (minutes) |
The number of minutes before data for the Collections dashboard panel is refreshed. The default value is 20. |
|
Console |
General |
Weeks of CA Stats |
The number of weeks of CA data to include in the dashboard graphs. The default value is 24. |
|
Console |
General |
Debug Embedded Reports |
If set to True, causes an Enable Debug tickbox to appear on the parameters page for reports you access and run from the Navigator (reports on the Reports menu dropdown of the Management Portal). This option does not appear for reports generated from the Report Manager grid. When enabled it allows the reports to output debug level information when they run. If set to False, does not display the Enable Debug option. The default value is False. Tip: When the debugging option is enabled, a small debug icon (
 ) appears at the bottom of reports that generate successfully. You can click on it to see information about the report. |
|
Console |
General |
Display CA Hostname |
If set to True, causes both the CA’s FQDN and logical name (e.g. ca2.keyexample.com\Corp Issuing CA Two) to display in the CA fields on the Certificate Authority, Certificate Requests and API Applications pages of the Management Portal. If set to False, only the CA’s logical name (e.g. Corp Issuing CA Two) displays on these pages. The default value is True. |
|
Console |
General |
Extension Handler Path |
The path to the location on the Keyfactor Command server where the event handler .dll files are stored. By default this is: C:\Program Files\Keyfactor\Keyfactor Platform\ExtensionLibrary\.
|
|
Console |
General |
Immediately Sync Revoked Certificates |
If set to True, causes certificates to immediately sync to Keyfactor Command upon revocation rather than waiting for the next scheduled synchronization cycle. The default value is True. |
| Console | General | Report Footer | A string that appears at the bottom of Logi-based reports either generated from the Management Portal or generated with the Report Manager in PDF format. The report footer appears only at the very end of the report, not at the foot of every page in the report. |
| Console | General | Report Footer Icon | The file name of an image to be used at the bottom of each page of exported and scheduled PDF reports. You can use this to replace the Keyfactor logo with a custom image on your reports. The image is auto set to a height of 30px. This image should be placed in the _SupportFiles folder under the Logi folder (located at C:\Program Files\Keyfactor\Keyfactor Platform\Logi by default). |
|
Console |
General |
Revoke All Enabled |
If set to True, causes the Revoke All button to appear at the top of certificate search and collection grids to allow users with appropriate permissions to revoke all certificates shown in the grid or included in the certificate collection. If set to False, hides the Revoke All button and disables the POST /Certificates/RevokeAll API endpoint. The default value is False for new installations of Keyfactor Command beginning with release 10.4. |
|
Console |
General |
Timer Service Configuration Interval (minutes) |
The number of minutes between checks by the master scheduling service for changes to the synchronization schedules. Any changes made to this value will not be applied until the Keyfactor Command service is restarted. The default value is 10. |
|
Console |
General |
Lock Timeout (seconds) | The amount of time to attempt to acquire a lock ensuring that only one timer service job runs at a time across multiple servers. Default is 5 seconds. |
|
Console |
General |
Lock Heartbeat Interval (seconds) | How often to update the lock to keep it alive while running a long running timer service job. Default is 60 seconds. |
|
Console |
General |
Lock Hold Timeout (seconds) | How long to wait after the last successful heartbeat interval before the lock is considered to be lost and can be acquired by another machine. Default is 900 seconds. |
|
Console |
Monitoring |
Expiration Alert Test Result Limit |
The maximum number of expiration alert emails that will be sent when an expiration alert test is run from within the Management Portal. If the number set here is exceeded during a test, emails will not be sent, but a portion of the alerts will be visible on the expiration alerts test page (see Testing Expiration Alerts). The default value is 100. |
| Console | Monitoring | Key Rotation Alert Test Result Limit | The maximum number of key rotation alert emails that will be sent when a key rotation alert test is run from within the Management Portal. If the number set here is exceeded during a test, emails will not be sent, but a portion of the alerts will be visible on the key rotation alerts test page (see Testing Key Rotation Alerts). The default value is 100. |
|
Console |
Monitoring |
Pending Alert Test Result Limit |
The maximum number of pending alert emails that will be sent when a pending alert test is run from within the Management Portal. If the number set here is exceeded during a test, emails will not be sent, but a portion of the alerts will be visible on the pending alerts test page (see Testing Pending Request Alerts). The default value is 100. |
|
Console |
Monitoring |
Pending Alerts Max Reminders |
The maximum number of pending alert emails that will be sent for a given pending certificate. Every time a pending alert task is run, an email will be sent for a given pending certificate until the limit is reached. It is recommended that the number is kept at 5 or less. The default value is 1. |
Application Settings: Auditing Tab
Figure 335: Audit Log Application Settings
Table 21: Audit Log Application Settings
|
Tab |
Section |
Field |
Description |
|---|---|---|---|
|
Auditing |
General |
Audit Entry Retention Period |
The number of years to retain the audit log entry details. The default value is 7. Note: The audit log cleanup job runs once daily and removes any audit log entries older than the time specified in the retention parameter except those in the following protected categories:
Audit logs belonging to protected categories are retained indefinitely and cannot be deleted. To retain all audit log entries indefinitely, disable the job. See Keyfactor Command Service Job Settings. |
|
Auditing |
Log Server |
Host Name |
The host name of the centralized logging server to receive the Keyfactor Command audit log entries. |
|
Auditing |
Log Server |
Port |
The port to connect to the centralized logging server. The default port (configurable during install) is 514. |
|
Auditing |
Log Server |
Use SysLog Server |
If set to True, enables sending audit log details to a centralized logging server. See Audit Log Output to a Centralized Logging Solution. |
| Auditing | Log Server | Use TLS Connection | If set to True, enables sending audit log details to a centralized logging server over a TLS connection. See Audit Log Output to a Centralized Logging Solution. |
Application Settings: Enrollment Tab
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). that were previously configured under application settings are now configured on the templates page (see Regular Expressions).
Figure 336: Enrollment Application Settings
Table 22: Enrollment Application Settings
|
Tab |
Section |
Field |
Description |
|---|---|---|---|
| Enrollment | General | Display CA Hostname | If set to True, causes both the CA’s FQDN and logical name (e.g. ca2.keyexample.com\Corp Issuing CA Two) to display in the CA dropdowns in the Keyfactor Command Management Portal interfaces. If set to False, only the CA’s logical name (e.g. Corp Issuing CA Two) displays in these dropdowns. The default value is True. |
| Enrollment | General | Subject Format |
The format of the subject field that will be created for the certificates requested through the Keyfactor Command Management Portal if the template used for enrollment is set to supply in request. For example: CN={CN},E={E},O=Key Example\, Inc.,OU={OU},L=Chicago,ST=IL,C=US
The data in the subject format takes precedence over any data entered during PFX enrollment or supplied by enrollment defaults (see Enrollment Defaults Tab). For example, with the above subject format, the organization for certificates generated through PFX enrollment will always be Key Example, Inc. regardless of what is shown on the PFX enrollment page during enrollment. This setting applies to CSRs generated using the CSR generation method in the Keyfactor Command Management Portal and CSR and PFX enrollments done in the Keyfactor Command Management Portal. Data from the default subject does not display on the CSR or PFX enrollment page. To define defaults that will display in the PFX enrollment form (and can be modified by users), use enrollment defaults (see Enrollment Defaults Tab). Note: Backslashes are required before any commas embedded within values in the subject field (e.g. O=Key Example\, Inc.). Quotation marks should not be used in the strings in the fields except in the case where these are part of the desired subject value, as they are processed as literal values.
Tip: The default subject format does not apply to enrollments done using the Keyfactor API.
|
| Enrollment | General | URL to Subscriber Terms | The URL for a web page providing terms and conditions to which a user must agree before being allowed to enroll for a certificate if the CA setting of Require Subscriber Terms is enabled. |
| Enrollment |
CSR |
Allow CSR SAN Entry |
If set to True, enables the section of the CSR enrollment page that allows for entry of custom subject alternative names (SANs). The default value is False. |
| Enrollment | CSR | Enabled | If set to True, enables administrative CSR enrollment. The default value is True. |
|
Enrollment |
PFX |
Allow Custom Friendly Name |
If set to True, enables the section of the PFX enrollment page that allows for entry of a custom friendly name for the certificate. The default value is False. |
|
Enrollment |
PFX |
If set to True, enables the section of the PFX enrollment (see PFX Enrollment) and certificate download (see Download) pages that allow for entry of a custom password for the certificate file. The default value is False. |
|
|
Enrollment |
PFX |
Enabled |
If set to True, enables administrative PFX enrollment. The default value is True. |
|
Enrollment |
PFX |
File Extension |
The file extension that will be given to the certificate files. Typical extensions are PFX or P12. The default value is PFX. |
|
Enrollment |
PFX |
Only use Alpha Numeric Chars |
If set to True, the one-time password generated to encrypt the PFX file acquired through the Keyfactor Command Management Portal (if the user’s Active Directory password is not used) will contain just numbers and letters. If set to False, the password will contain numbers, letters and special characters. This setting is ignored if PFX Use Active Directory Password is set to True. The default value is True. |
|
Enrollment |
PFX |
Use Active Directory Password |
If set to True, uses the user’s Active Directory password to encrypt the PFX file containing the certificate acquired through the Keyfactor Command Management Portal and its private key. If set to False, generates a one-time password to encrypt the PFX file. The default value is False. Important: If you change this setting in the application settings you must also change the authentication method configured on the IIS virtual application KeyfactorPortal through the IIS Manager. If you set this option to True, you should configure only Basic Authentication in IIS. If you set this option to False, you may configure either only Windows Authentication or both Basic Authentication and Windows Authentication (the default) in IIS. This is because when you authenticate to the Management Portal using integrated Windows authentication (Kerberos), Keyfactor Command does not have access to your credentials to apply your password to the PFX file.
|
|
Enrollment |
PFX |
Password Length |
The number of characters in the one-time auto-generated password, or the required number of characters in the custom password, to encrypt the PFX file acquired through the Keyfactor Command Management Portal. The default value is 12. This value will be displayed on the PFX enrollment and certificate download pages - password section (if Allow Custom Password is set to true). Important: Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.
|
|
Enrollment |
PFX |
Require Custom Friendly Name |
If set to True, requires the user to enter a custom friendly name for the certificate. The default value is False. Note: If Require Custom Friendly Name is enabled, Allow Custom Friendly Name must also be enabled to place the custom friendly name field on the PFX enrollment page.
|
| Enrollment | PFX | Enable Legacy Encryption |
If set to True, the historical algorithm set (3DES/SHA1/RC2) is used for PFX enrollments. If set to False, the newer algorithm set provided by Windows (AES256/SHA256/AES256) is used instead. The default value is False. Important: This must be set to True if you plan to install the resulting PFX file on a server running Windows Server 2016.
|
Application Settings: Agents Tab
Figure 337: Agents Application Settings
Table 23: Agents Application Settings
|
Tab |
Section |
Field |
Description |
|---|---|---|---|
|
Agents |
General |
Job Failures and Warnings Age Out (days) |
The number of days orchestrator job failures and warnings should be included in the count of failures on the orchestrator job history tab. The default value is 7. |
|
Agents |
General |
Certificate Authority For Submitted CSRs |
The certificate authority used for reenrollment requests made from the Certificate Stores page. See Certificate Store Reenrollment. |
|
Agents |
General |
Heartbeat Interval (minutes) |
The frequency, in minutes, with which an orchestrator (e.g. Keyfactor Universal Orchestrator, Keyfactor Java Agent or Keyfactor Mac Auto-Enrollment Agent) should query the Keyfactor Command orchestrator server for a status on the accuracy of its jobs list. The default value is 5. |
|
Agents |
General |
Notification Alert Email Recipients | The email address(es) to receive notification. |
|
Agents |
General |
Notification Alert Interval (minutes) | The timer service has a job that runs based on this application setting. If an orchestrator has not checked in between job runs, an email alert is sent to the configured recipients stating which orchestrator has not been seen. |
|
Agents |
General |
Send Entropy during on device key generation (ODKG/Reenrollment) |
Whether the configure call returns the property Entropy containing 2048 bytes. This property is optional via this app setting. The default is false on upgrades and new installs. |
|
Agents |
General |
Registration Check Interval (minutes) |
The frequency, in minutes, with which an orchestrator should check with the Keyfactor Command server to see if it has been approved as an orchestrator. The default value is 30. |
|
Agents |
General |
Registration Handler Timeout (seconds) |
The maximum number of seconds an auto-registration handler is allowed to attempt to run before being halted and declared to be deferred. The default value is 90 for more recently installed systems. Keyfactor recommends using a value of at least 60 seconds. |
| Agents | General | Number of times a job will retry before reporting failure | The number of times an orchestrator job will attempt to retry running if it encounters an error before failing. The default value is 5. |
| Agents | General | Revoke old Client Auth Certificate | If set to True, revokes the previous certificate used for orchestrator client certificate authentication after the certificate has successfully been renewed using the client certificate authentication renewal extension. The default value is True. |
|
Agents |
General |
Session Length (minutes) |
The frequency, in minutes, with which an orchestrator renews its session with the Keyfactor Command server and obtains a new session token in the absence of any other reason for the orchestrator to renew the session token. The session token is also renewed when an orchestrator job changes (e.g. an inventory schedule changes, a certificate is scheduled for addition to a certificate store, or a certificate is scheduled for removal from a store) or the orchestrator is restarted. The default value is 1380. |
|
Agents |
General |
Template For Submitted CSRs |
The template used for reenrollment requests made from the Certificate Stores page. See Certificate Store Reenrollment. The template selected for this value must be available for enrollment against the CA listed in the Certificate Authority For Submitted CSRs setting. |
| Agents | Authentication | Always Use Certificate from Header | If set to True, the orchestrator will be authenticated using the client certificate provided in the header from the orchestrator rather than client certificate used to make the connection to Keyfactor Command. This is useful in configurations where one certificate is used to authenticate the orchestrator to a proxy and a second certificate is used to authenticate the proxy to Keyfactor Command. The original certificate from the orchestrator can be preserved in the header to present to Keyfactor Command for authentication. The default value is False. |
|
Agents |
F5 |
Ignore Server SSL Warnings |
If set to True, the orchestrator will connect to the F5 device using SSL even if it detects a problem with the certificate on the F5 device (e.g. it doesn’t trust the issuer of the certificate because the certificate is self-signed). This option applies only to the F5 methods based on the F5 SOAP API (see Certificate Stores). The F5 methods based on the F5 iControl REST API automatically ignore SSL warnings without the need to set this option. The default value is False. |
|
Agents |
SSL |
SSL Maximum Discovery Job Size |
The maximum number of endpoints for scanning that will be assigned to any one orchestrator for a given discovery scan job part. Together with the SSL Scan Job Timeout setting, this can be used to fine tune the running of SSL discovery scan jobs. The default value is 16,384. Note: A change made to this setting takes effect with the next discovery scan job. It does not affect currently running jobs.
|
|
Agents |
SSL |
SSL Maximum Email Results |
The maximum number of results to display in an SSL monitoring results email message table of certificates that have expired or are expiring shortly. The default value is 500. |
|
Agents |
SSL |
SSL Maximum Monitoring Job Size |
The maximum number of endpoints for scanning that will be assigned to any one orchestrator for a given monitoring scan job part. Together with the SSL Scan Job Timeout setting, this can be used to fine tune the running of SSL monitoring scan jobs. The default value is 16,384. Note: A change made to this setting takes effect with the next monitoring scan job. It does not affect currently running jobs.
|
|
Agents |
SSL |
Retain SSL Endpoint History (days) |
The number of days old an endpoint history record must be before it is available for deletion by the endpoint history cleanup process. Endpoint history records older than this will be retained if they are the last records for the given endpoint. Both the last discovery and last monitoring records will be retained regardless of age. The default value is 30. |
|
Agents |
SSL |
SSL Scan Job Timeout (minutes) |
The maximum number of minutes any one orchestrator is allowed to attempt to run an SSL scan job before the job for that orchestrator is abandoned and given to the next orchestrator in the orchestrator pool to run (if applicable). The default value is 180. Note: A change made to this setting takes effect immediately. It applies to currently running jobs as well as future jobs.
|
|
Agents |
SSL |
SSL Scan User Agent |
Defines what is sent to endpoints when Request Robots.txt is enabled on a SSL Network. |
Application Settings: API Tab
Figure 338: API Application Settings
Table 24: API Application Settings
|
Tab |
Section |
Field |
Description |
|---|---|---|---|
|
API |
General |
Allow Deprecated API Calls |
If set to False, API applications will not be able to access earlier versions of API methods or other legacy API methods that have been replaced or updated. Many of the updated methods offer additional security measures, so this setting can reduce the risk of unauthorized API access, but may cause API applications written against these earlier versions to stop functioning correctly. If you do not have any such applications, this should be set to False. The default is True. For more information, see Versioning in the Keyfactor API Reference Guide. |
|
API |
General |
API Throttling Interval (seconds) |
The maximum rate at which API applications can make requests to the API. A larger value will mitigate risks from certain denial of service and brute-force/dictionary attacks, but will limit the performance of applications needing to make multiple API calls. This can be set to zero to disable throttling. |
|
API |
Certificate Enrollment |
Authorization Token Timeout |
This is considered deprecated and may be removed in a future release. |
| API | Certificate Enrollment | Reverse Legacy Enrollment Chain Order |
This is considered deprecated and may be removed in a future release. |
Application Settings: SSH Tab
Figure 339: SSH Settings
Table 25: SSH Application Settings
|
Tab |
Section |
Field |
Description |
|---|---|---|---|
|
SSH |
General |
Key Lifetime (days) |
The number of days for which an SSH key generated through My SSH Key (see Generating a New Key) or Service Account Keys (see Creating a Service Account Key) is considered valid. The default is 365 days. |
| SSH | General | SSH Key Password |
The regular expression against which the password entered when creating, rotating or downloading keys for both user SSH keys (My SSH Key) and service account SSH keys (Service Account Keys) will be validated. The default is a minimum of 12 characters configured as: ^.{12,}$
|
| SSH | General | SSH Key Password Error Message | The error message displayed to the user in the relevant SSH pages of the Keyfactor Command Management Portal when the password referenced does not match the regular expression defined for the password using the SSH Key Password setting. |
Application Settings: Workflow Tab
Figure 340: Workflow Settings
Table 26: Workflow Application Settings
|
Tab |
Section |
Field |
Description |
|---|---|---|---|
|
Workflow |
General |
Workflow Step Run Timeout (seconds) |
The number of seconds a workflow instance step will be allowed to run before timing out and setting the instance to a status of Failed. The default is 60 seconds. |
| Workflow | General | Instance Cleanup Days | The number of days to retain completed workflow instances (successful or failed) before they are purged. The cleanup job runs daily at midnight. The default value is 14. |
) next to the