PFX Enrollment
The PFX Enrollment
page provides the ability to submit a certificate request and download the resulting PFX certificate file. Given the power involved in allowing a user to generate his or her own subject name and automatically receive a certificate in this subject name, Keyfactor recommends that permissions for this feature are only given to very trusted users and/or that you consider making use of Keyfactor Command workflow
with a RequireApproval step (see Adding, Copying or Modifying a Workflow Definition).


You can expand and collapse sections of the PFX enrollment page by clicking on the plus/minus icon to the left of each section title.
To request a certificate via PFX:
- In the Keyfactor Command Management Portall, browse to Enrollment > PFX Enrollment.
-
If you are enrolling from an enterprise CA
, select a certificate template from the Template dropdown. The templates are organized by configuration tenant
(formerly known as forest
). If you have multiple configuration tenants and templates with similar names, be sure to select the template in the correct configuration tenant. If you are enrolling from a standalone CA, check the Use a stand-alone CA box instead of selecting a template.
Figure 106: Select a Certificate Template
Note: The supported key algorithms for a certificate template are determined based on global template policy, individual template policy, and the template's supported algorithm.When configuring template-level policies for key information, only key sizes that are valid for the algorithm will be available, according to the global template policy, the template policy, and the supported key sizes. For PFX and CSR generation, you will be offered the option to select the Key Algorithm and Key Size for the enrollment in dropdowns if the selected template with applied policy settings supports more than one of these. If, after applying Keyfactor Command policy to the returned template there is only one value for key algorithm and size, these dropdowns will be grayed out. If for some reason an algorithm comes back as supported, but no key sizes are available, that algorithm should not appear. When selecting an ECC
key size
, the curve for that key size will be displayed.
Tip: The check box for stand-alone CAs only appears if you have a stand-alone CA configured for enrollment.Figure 107: PFX Enrollment for Stand-Alone CA
Tip: If you select an ECC template, the elliptic curve algorithm for the template appears below the Template dropdown.Figure 108: PFX Enrollment for ECC Template Displaying Elliptic Curve
-
Select the Certificate Authority from which the certificate should be requested. Only CAs that have the selected template available for enrollment or are standalone, if you check the stand-alone CA box, will be shown.
Figure 109: PFX Enrollment
Note: If a system-wide or template-level regular expression exists for a subject part or SAN, and the subject part or SAN is left blank, the regular expression will be applied to an empty string for that part. For example, if you have a regular expression on organization, but do not supply an organization, the regular expression will be applied to a blank string as if that were supplied as the organization
-
In the Certificate Subject Information section of the page, populate the fields as appropriate for the certificate being requested. Although Keyfactor Command does not strictly require the Common Name, the product does ship with a default regular expression requiring a value for this field since it is typical for a CA to require this unless the template is set to populate the subject from Active Directory. This regular expression may have been altered in your environment (see the below note).
Note: Some subject fields may be automatically populated by system-wide or template-level enrollment defaults. You may override the system-populated data, if desired. Any system-wide or template-level regular expressions will be used to validate the data entered in the subject fields. System-wide or template-level policies will affect the request. For more information, see Certificate Template Operations. Subject data may also be overridden after an enrollment request is submitted either as part of a workflow (see Update Certificate Request Subject\SANs for Microsoft CAs) or using the Subject Format application setting (see Application Settings: Enrollment Tab). - If enabled, add a friendly name in the Custom Friendly Name section of the page. This section only appears if the Allow Custom Friendly Name application setting is set to True. If the Require Custom Friendly Name application is set to True, a value is required in this field. For more information, see Application Settings: Enrollment Tab.
-
In the Subject Alternative Names (SANs) section of the page, add SANs if needed. If the RFC 2818 compliance option has been enabled for the template (see Certificate Template Operations), the first SAN field will automatically populate with a DNS
SAN matching the CN
when you enter the CN be set to Read Only. Click the Add button to add SAN fields.
Important: If the template you selected has the RFC 2818 compliance setting enabled, the DNS name will be automatically populated with the Common Name(CN) and will be set to read only.
The SAN field supports:
-
DNS name
-
IP version 4 address
-
IP version 6 address
-
User Prinicpal Name
-
Email
Figure 110: PFX Enrollment: SAN Options
This field is not required unless the RFC 2818 compliance option has been configured in the template policy.
-
-
If template-specific enrollment fields have been defined (see Enrollment Fields Tab) for the selected template, the fields will display in the Additional Enrollment Fields section. Additional enrollment fields have a data type of either string or multiple choice. String fields will appear as a text box; Multiple choice fields will appear as a dropdown. All additional enrollment fields are required.
Figure 111: Populate Enrollment Fields
-
In the Certificate Metadata
section of the page, populate any defined certificate metadata fields (see Certificate Metadata and Certificate Template Operations) as appropriate for the template. These fields may be required or optional depending on your metadata configuration. Required fields will be marked with *Required next to the field label. Any completed values will be associated with the certificate once it has been imported into Keyfactor Command. The order in which the metadata fields appear can be changed (see Sorting Metadata Fields).
Figure 112: Populate Metadata Fields
-
If enabled, in the Password section of the page, check the Use Custom Password box and enter and confirm a custom password to use in securing the PFX file. This section only appears if the Allow Custom Password application setting is set to True. The value in the Password Length field in application settings is shown for guidance when entering a password. For more information about both of these settings, see Application Settings: Enrollment Tab.
Figure 113: Set a Custom Password
-
In the Certificate Delivery Format section of the page, select either Direct Download—to download the certificate immediately—or Install into Certificate Stores—to schedule the certificate to be added to a configured certificate store. If you do not have any configured certificate stores, the Install into Certificate Stores option will not appear.
-
At the bottom of the page, click Enroll to begin the certificate request process.
-
If the request completes successfully, you'll see a success message. When the certificate is enrolled and issued the message will state the download format type, if the private key was included in the downloaded certificate, if the certificate chain was included in the downloaded certificate. If private key was not retained for the downloaded certificate, no password will be displayed a message will state that the private key and certificate can be obtained from the certificate search page.
-
You'll be prompted by your browser to begin download of your certificate unless you chose to install it directly into a certificate store. If you’ve configured PFX enrollment to use Windows authentication (the default) and have not selected the option to enter a custom password, you’ll see a one-time password that has been generated to secure the PFX file. You will need this password in order to open the PFX file.
-
If you’ve configured the Keyfactor Command Management Portal to use basic authentication and you’ve configured the Use Active Directory Password application setting option to True, the message will indicate that the PFX file can be opened using the Active Directory domain password of the user making the request. For more information about configuring basic authentication versus Windows authentication, see Application Settings: Enrollment Tab.
Figure 122: PFX Enrollment Completed Successfully—Network Password Used
Note: This option does not work when you authenticate to the Management Portal using Kerberos because Keyfactor Command does not have access to your credentials to apply your password to the PFX file. -
If the template you selected requires approval at the Keyfactor Command workflow level, you'll see a message that your request is suspended and is awaiting one or more approvals. The user(s) responsible for approving the request will be notified (if the workflow has been configured this way, see Adding, Copying or Modifying a Workflow Definition). You can use the My Workflows Created by Me tab (see Workflows Created by Me Operations) to check on the status of your request. If the Management Portal feature has been configured to send notification alerts when a certificate is issued following approval, you may receive an email message when your certificate is available for download. The email message may contain a download link. See Issued Certificate Request Alerts.
Figure 123: PFX Enrollment Completed Successfully—Awaiting Workflow Approval(s)
-
If the template you selected requires manager approval at the CA level, you’ll see a message that your request is pending. The user responsible for approving issuance of pending certificates will be notified (if that Management Portal feature is configured, see Pending Certificate Request Alerts). You can visit the Certificate Requests page (see Certificate Requests) to check on the status of your pending request and certificate search (see Certificate Search and Collections) to complete the certificate download. If the Management Portal feature has been configured to send notification alerts when a pending certificate request is approved or denied, you may receive an email message when your certificate is available for download. The email message may contain a download link. See Issued Certificate Request Alerts and Denied Certificate Request Alerts.
Figure 124: PFX Enrollment Completed Successfully—Pending Status
-
