Documentation Suite v11.5.6

Submit Search

GET Templates

The GET /Templates method is used to retrieve one or more templates from Keyfactor Command. Results can be limited to selected templates using filtering, and URL parameters can be used to specify paging and the level of information detail. This method returns HTTP 200 OK on a success with details about the specified templates.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/certificate_templates/read/

Table 785: GET Templates Input Parameters

Name	In	Description
QueryString	Query	A string containing a query to limit the results (e.g. field1 -eq value1 AND field2 -gt value2). The default is to return all records. Fields available for querying through the API for the most part match those that appear in the Keyfactor Command Management Portal search dropdowns for the same feature. For querying guidelines, refer to: Using the Template Search Feature. The query fields supported for this endpoint are: AllowedEnrollmentType (1-PFX Enrollment, 2-CSR Enrollment, 3-CSR Generation, 0-None) ConfigurationTenant DisplayName ForestRoot (deprecated) FriendlyName HasPrivateKeyRetention (True, False) IsDefaultTemplate (True, False) ShortName Tip: To filter out all the built-in Active Directory templates and display only your custom templates, use the following query: IsDefaultTemplate -eq "false" To filter out all templates that are not configured for either PFX Enrollment or CSR Enrollment, use the following query: AllowedEnrollmentType -eq "3" A value of 1 will filter out all templates except those configured for PFX Enrollment. A value of 2 will filter out all templates except those configured for CSR Enrollment.
PageReturned	Query	An integer that specifies how many multiples of the returnLimit to skip and offset by before returning results, to enable paging. The default is 1.
ReturnLimit	Query	An integer that specifies how many results to return per page. The default is 50.
SortField	Query	A string containing the property by which the results should be sorted. Fields available for sorting through the API for the most part match those that appear as sortable columns in the Keyfactor Command Management Portal. The default sort field is CommonName.
SortAscending	Query	An integer that sets the sort order on the returned results. A value of 0 sorts results in ascending order while a value of 1 sorts results in descending order. The default is ascending.

Table 786: GET Templates Response Data

Name Description

Id An integer indicating the ID of the template in Keyfactor Command.

Common Name A string containing the common name (short name) of the template. This name typically does not contain spaces. For a template created using a Microsoft management tool, this will be the Microsoft template name. For a template generated for an EJBCA CA, this will be built using a naming scheme of <end entity profile name>_<certificate profile name>. This field is populated based on information retrieved from the CA and is not configurable.

Template Name A string containing the name of the template. For a template created using a Microsoft management tool, this will be the Microsoft template display name. For a template generated for an EJBCA CA, this will be built using a naming scheme of <end entity profile name> (<certificate profile name>). This field is populated based on information retrieved from the CA and is not configurable.

Oid A string containing the object ID of the template in Active Directory. For Microsoft templates, this field is populated from Active Directory. For EJBCA templates, this field is generated within Keyfactor Command as an object identifier, but does not follow official OID conventions. The field is not configurable.

KeySize A string indicating the minimum supported key size of the template as returned by the CA. This value is calculated based on the algorithms provided in the template from the CA (see KeyAlgorithms). The algorithm key types and sizes are evaluated in order (RSA, ECC, Ed448, and Ed25519) and from these, the minimum type and size is determined. For example, if the template supports RSA, Ed448, and Ed25519, the minimum key type will be evaluated to RSA. Then for that algorithm, the minimum key size returned by the CA will be selected (e.g. 2048 if 2048 and 4096 are returned for RSA). See the KeyAlgorithms field for the complete list of supported key sizes and types. The field is not configurable.

KeyType A string indicating the key type of the template as returned by the CA. See details under KeySize. See the KeyAlgorithms field for the complete list of supported key sizes and types. The field is not configurable.

Forest Root

A string indicating the forest root of the template. For Microsoft templates, this field is populated from Active Directory and is not configurable.

Note: The ForestRoot has been replaced by the ConfigurationTenant from release 10, but is retained for backwards compatibility.

Configuration Tenant A string indicating the configuration tenant of the template. For Microsoft templates, this field is populated from Active Directory. For EJBCA templates, this field is populated from the Keyfactor Command CA record. The field is not configurable.

Friendly Name A string indicating the Keyfactor Command friendly name of the template. Template friendly names, if configured, appear in the dropdowns for PFX enrollment, CSR enrollment, and CSR generation in place of the template names. This can be useful in environments where the template names are long or not very human readable.

Key Retention

A string indicating the type of key retention certificates enrolled with this template will use to store their private key in Keyfactor Command. Show key retention details.

Value	Description
None	The private key will not be retained.
Indefinite	The private key will be retained until it is explicitly deleted.
After Expiration	The private key will be retained until the specified number of days after the certificate expires (KeyRetentionDays), at which point it will be scheduled for deletion.
From Issuance	The private key will be retained until the specified number of days after the date on which the certificate was issued (KeyRetentionDays), at which point it will be scheduled for deletion.

Key Retention Days An integer indicating the number of days a certificate’s private key will be retained in Keyfactor Command before being scheduled for deletion, if private key retention is enabled.

Key Archival

A Boolean indicating whether the template has been configured with the key archival setting in Active Directory (true) or not (false). This is a reference field and is not configurable.

Enrollment Fields

An object containing custom enrollment fields. These are configured on a per-template basis to allow you to submit custom fields with CSR enrollments and PFX enrollments to supply custom request attributes to the CA during the enrollment process. This functionality offers such benefits as:

Preventing users from requesting invalid certificates, based on your specific certificate requirements per template.
Providing additional information to the CA with the CSR.

Once created on the template, these values are shown in Keyfactor Command on the PFX and CSR enrollment pages in the Additional Enrollment Fields section. The fields are mandatory during enrollment. The data will appear on the CA / Issued Certificates attribute tab for certificates enrolled with a template configured with Keyfactor Command enrollment fields.

Note: These are not metadata fields, so they are not stored in the Keyfactor Command database, but simply passed through to the CA. The CA in turn could, via a gateway or policy module, use this data to perform required actions.

Show enrollment field details.

Name

Description

An integer indicating the ID of the custom enrollment field.

Name

A string indicating the name of the custom enrollment field. This name will appear on the enrollment pages.

Options

For multiple choice values, an array of strings containing the value choices.

DataType

An integer indicating the parameter type. The options are:

Value	Description
1	String: A free-form data entry field.
2	Multiple Choice: Provides a list of acceptable values for the field. The multiple choice values are provided in the Options parameter.

Allowed Enrollment Types

An integer indicating the type of enrollment allowed for the certificate template. Setting these options causes the template to appear in dropdowns in the corresponding section of the Management Portal. In the case of CSR Enrollment and PFX Enrollment, the templates only appear in dropdowns on the enrollment pages if they are available for enrollment from a CA also configured for enrollment within Keyfactor Command. See Adding or Modifying a CA Record for more information. Show allowed enrollment type details.

Value	Description
0	None
1	PFX Enrollment
2	CSR Enrollment
3	CSR Enrollment & PFX Enrollment
4	CSR Generation
5	CSR Generation & PFX Enrollment
6	CSR Generation & CSR Enrollment
7	CSR Enrollment, PFX Enrollment & CSR Generation

Template Regexes

An array of objects containing individual template-level regular expressions against which to validate the subject data. Regular expressions defined on a template apply to enrollments made with that template only. Template-level regular expressions, if defined, take precedence over system-wide regular expressions. For more information about system-wide regular expressions, see GET Templates Settings.

Name Description

Template Id In integer indicating the Keyfactor Command reference ID of the certificate template the regular expression is associated with.

Subject Part A string indicating the portion of the subject the regular expression applies to (e.g. CN).

RegEx

A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment pages of the Keyfactor Command Management Portal or using an API enrollment method will be validated.

Use the GET /Templates/SubjectParts method (see GET Templates Subject Parts) to retrieve a list of all the supported subject parts.

Show regular expression examples.

Subject Part	Example
CN (Common Name)	This regular expression specifies that the data entered in the field must consist of some number of characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly .keyexample.com: Copy `^[a-zA-Z0-9'_\.\-]*\.keyexample\.com$` The default value for the Common Name regular expression is: Copy `.+` This requires entry of at least one character in the Common Name field in the enrollment pages.
O (Organization)	This regular expression requires that the organization name entered in the field be one of “Key Example Inc”, “Key Example” or “Key Example Inc.”: Copy `^(?:Key Example Inc\|Key Example\|Key Example, Inc\.)$` The period in the final company name (Key Example, Inc.) needs to be escaped in the regular expression with a slash ("\") but the comma does not.
OU (Organization Unit)	This regular expression requires that the organizational unit entered in the field be one of these four departments: Copy `^(?:IT\|HR\|Accounting\|E-Commerce)$`
L (City/ Locality)	This regular expression requires that the city entered in the field be one of these five cities: Copy `^(?:Boston\|Chicago\|New York\|London\|Dallas)$`
ST (State/ Province)	This regular expression requires that the state entered in the field be one of these eight states: Copy `^(?:Massachusetts\|Illinois\|New York\|Ontario\|Texas)$`
C (Country)	This regular expression requires that the country entered in the field be either US or CA: Copy `^(?:US\|CA)$`
E (Email)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly “@keyexample.com”: Copy `^[a-zA-Z0-9'_\.\-]*@keyexample\.com$`
DNS (Subject Alternative Name: DNS Name)	This regular expression specifies that the data entered in the field must consist of some number of characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly either “.keyexample1.com” or “.keyexample2.com”: Copy `^[a-zA-Z0-9'_\.\-]*\.(?:keyexample1\.com\|keyexample2\.com)$`
IPv4 (Subject Alternative Name: IPv4 Address)	This regular expression specifies that the data entered in the field must be exactly “130.101.” followed by anywhere between 1 and 3 numbers followed by exactly “.” followed by anywhere between 1 and 3 numbers: Copy `^130\.101\.(?:[0-9]{1,3})\.(?:[0-9]{1,3})$` This regular expression specifies only that the IPv4 address is made up of 4 sets of between 1 and 3 numbers separated by periods: Copy `^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$`
IPv6 (Subject Alternative Name: IPv6 Address)	This regular expression specifies that the data entered in the field must be made up of eight sets of between one and four numbers and/or uppercase letters separated by colons: Copy `^(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}$`
MAIL (Subject Alternative Name: Email)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly “@keyexample.com”: Copy `^[a-zA-Z0-9'_\.\-]*@keyexample\.com$`
UPN (Subject Alternative Name: User Principal Name)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, periods, and/or hyphens followed by exactly “@keyexample.com”: Copy `^[a-zA-Z0-9'_\.\-]*@keyexample\.com$`

Error

A string specifying the error message displayed to the user when the subject part referenced in the CSR or entered for a PFX enrollment does not match the given regular expression.

Note: The error message already includes a leading string with the subject part (e.g. “Common Name:” or “Invalid CN provided:” depending on the interface used). Your custom message follows this.

Use Allowed Requesters A Boolean that indicates whether the Restrict Allowed Requesters option should be enabled (true) or not (false). The Restrict Allowed Requesters option is used to select Keyfactor Command security roles that a user must belong to in order to successfully enroll for certificates in Keyfactor Command using this template. This is typically used for EJBCA templates and Microsoft templates that are not in the local Active Directory forest, since in these cases, Keyfactor Command cannot make use of the access control model of the CA itself to determine which users can enroll for certificates; this setting replaces that functionality. This setting is similar to setting request certificates for the selected security roles at the template level on a Microsoft CA. In addition to granting permissions at the template level, you need enable the Restrict Allowed Requesters option to grant permissions at the CA level. See Adding or Modifying a CA Record for more information.

Allowed Requesters

An array of strings containing the list of Keyfactor Command security roles—as strings—that have been granted enroll permission on the template.

Display Name A string indicating the Keyfactor Command display name of the template. If a template friendly name is configured, this is used as the display name. If not, the template name is used. The display name appears in the dropdowns for PFX enrollment, CSR enrollment, and CSR generation. The display name is a generated field and is not directly configurable.

Requires Approval

A Boolean indicating whether the template has been configured with the Microsoft CA certificate manager approval option enabled (true) or not (false).

Important: Any templates that are configured on the Microsoft CA Issuance Requirements tab for CA certificate manager approval cannot be used for enrollment and associated alerting in Keyfactor Command without configuring private key retention. Any of the enabled private key retention settings (settings other than none as described for KeyRetention) will allow a template requiring manager approval to work with Keyfactor Command PFX and CSR enrollment.

Figure 442: Microsoft Issuance Requirements on a Template for Manager Approval

Key Usage

An integer indicating the total key usage of the certificate. Key usage is stored in Active Directory as a single value made of a combination of values. Show value details.

Value	Function	Description
0	None	No key usage parameters.
1	Encipherment Only	The key can be used for encryption only.
2	CRL Signing	The key can be used to sign a certificate revocation list (CRL).
4	Key Certificate Signing	The key can be used to sign certificates.
8	Key Agreement	The key can be used to determine key agreement, such as a key created using the Diffie-Hellman key agreement algorithm.
16	Data Encipherment	The key can be used for data encryption.
32	Key Encipherment	The key can be used for key encryption.
64	Nonrepudiation	The key can be used for authentication.
128	Digital Signature	The key can be used as a digital signature.
32768	Decipherment Only	The key can be used for decryption only.

For example, a value of 160 would represent a key usage of digital signature with key encipherment. A value of 224 would add nonrepudiation to those.

Extended Key Usages

An array of objects containing the extended key usage information for the template. This field is populated from the CA and is not configurable. Show extended key usage details.

Name	Description
Id	An integer indicating the ID of the extended key usage in Active Directory.
Oid	A string containing the object ID of the extended key usage.
Display Name	A string specifying the display name of the extended key usage (e.g. Server Authentication).

Allow One Click Renewals

A Boolean indicating whether One-Click Renewal will be allowed for certificate renewals requested with this template (true) or not (false).

If you wish to use One-Click Renewal for certificates, the Allow One-Click Renewals option must be enabled in both the templates and CAs to which you want One-Click Renewal to apply (see Certificate Template Operations and Adding or Modifying a CA Record). For more information about one-click renewals, see Renew.

KeyTypes A string containing a comma-delimited list of the key sizes and types supported for the template returned from the CA as they are displayed in the Management Portal templates grid. Possible values include RSA 2048, ECC P-384, Ed25519, and Ed448.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Version v11.5.6

On this page: