GET Enrollment Patterns Settings

The GET /EnrollmentPatterns/Settings method is used to retrieve the system-wide enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). pattern policy settings. This method returns HTTP 200 OK on a success with details about the system-wide enrollment pattern policy settings. This method has no input parameters other than the standard headers (see Endpoint Common Features).

Tip: Enrollment pattern policies may also be set for an individual enrollment pattern to apply only to that enrollment pattern (see POST Enrollment Patterns). Enrollment pattern policies set at the individual enrollment pattern level take precedence over policies set at the global level.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/enrollment_pattern/read/

Table 480: GET Enrollment Patterns Settings Response Data

Name In Description

Regexes

Body

An array of objects containing the system-wide enrollment pattern regular expression settings. These apply to all enrollments that are not otherwise overridden by enrollment pattern settings, including those that do not use an enrollment pattern (e.g. from a standalone CA). Show regular expression settings.

Name Description

Subject Part A string indicating the portion of the subject the regular expression applies to (e.g. CN).

RegEx

A string specifying the regular expression against which data entered in the indicated subject part field (e.g. CN) in the enrollment pages of the Keyfactor Command Management Portal or using an API enrollment method will be validated.

Use the GET /EnrollmentPatterns/SubjectParts method (see GET Enrollment Patterns Subject Parts) to retrieve a list of all the supported subject parts.

Show regular expression examples.

Subject Part	Example
CN (Common Name)	This regular expression specifies that the data entered in the field must consist of 1 to 63 characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, periods, and/or hyphens (but not at the beginning or end of sections or duplicated) followed by exactly .keyexample.com: Copy `^(?!-)(?!.--)[A-Za-z0-9-]{1,63}(?<!-)(\.[A-Za-z0-9-]{1,63})\.keyexample\.com$` The default value for the Common Name regular expression is: Copy `.+` This requires entry of at least one character in the Common Name field in the enrollment pages.
O (Organization)	This regular expression requires that the organization name entered in the field be one of “Key Example Inc”, “Key Example” or “Key Example Inc.”: Copy `^(?:Key Example Inc\|Key Example\|Key Example, Inc\.)$` The period in the final company name (Key Example, Inc.) needs to be escaped in the regular expression with a slash ("\") but the comma does not.
OU (Organization Unit)	This regular expression requires that the organizational unit entered in the field be one of these four departments: Copy `^(?:IT\|HR\|Accounting\|E-Commerce)$`
L (City/ Locality)	This regular expression requires that the city entered in the field be one of these five cities: Copy `^(?:Boston\|Chicago\|New York\|London\|Dallas)$`
ST (State/ Province)	This regular expression requires that the state entered in the field be one of these eight states: Copy `^(?:Massachusetts\|Illinois\|New York\|Ontario\|Texas)$`
C (Country)	This regular expression requires that the country entered in the field be either US or CA: Copy `^(?:US\|CA)$`
E (Email)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, periods, underscores, percent signs, apostrophes, plus signs, and/or hyphens followed by exactly “@keyexample.com”: Copy `^[A-Za-z0-9._%'+-]+@keyexample\.com$`
DNS (Subject Alternative Name: DNS Name)	This regular expression specifies that the data entered in the field must consist of 1 to 63 characters in the first portion of the field made up only of lowercase letters, uppercase letters, numbers, periods, and/or hyphens (but not at the beginning or end of sections or duplicated) followed by exactly either “.keyexample1.com” or “.keyexample2.com”: Copy `^(?!-)(?!.--)[A-Za-z0-9-]{1,63}(?<!-)(\.[A-Za-z0-9-]{1,63})\.(keyexample\.com\|keyexample2\.com)$`
IPv4 (Subject Alternative Name: IPv4 Address)	This regular expression specifies that the data entered in the field must be exactly “130.101.” followed by a value between 0 and 255, followed by “.”, followed a value between 0 and 255: Copy `^130\.101\.(?:[0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.(?:[0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])$` This regular expression specifies only that the IPv4 address is made up of 4 sets of values between 0 and 255 separated by periods: Copy `^(?:[0-9]{1,2}\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.(?:[0-9]{1,2}\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.(?:[0-9]{1,2}\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.(?:[0-9]{1,2}\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])$`
IPv6 (Subject Alternative Name: IPv6 Address)	This regular expression specifies that the data entered in the field must be made up of up to eight sets of between one and four numbers and/or uppercase letters separated by colons: Copy `^([A-F0-9]{1,4}:){1,7}([A-F0-9]{1,4})?(\:\:([A-F0-9]{1,4}:){0,6}[A-F0-9]{1,4})?$` This regular expression optionally matches a shorthand “::” that can replace one or more groups of zero segments, allowing the address to use shorthand notation.
MAIL (Subject Alternative Name: Email)	This regular expression specifies that the data entered in the field must consist of some number of characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, periods, underscores, percent signs, apostrophes, plus signs, and/or hyphens followed by exactly “@keyexample.com”: Copy `^[A-Za-z0-9._%'+-]+@keyexample\.com$`
UPN (Subject Alternative Name: User Principal Name)	This regular expression specifies that the data entered in the field must consist of between 1 and 64 characters prior to the “@” made up only of lowercase letters, uppercase letters, numbers, apostrophes, underscores, spaces, and/or hyphens followed by exactly “@keyexample.com”: Copy `^[A-Za-z0-9'_ -]{1,64}@keyexample\.com$`

Error

A string specifying the error message displayed to the user when the subject part referenced in the CSR or entered for a PFX enrollment does not match the given regular expression.

Note: The error message already includes a leading string with the subject part (e.g. “Common Name:” or “Invalid CN provided:” depending on the interface used). Your custom message follows this.

CaseSensitive A Boolean that sets the validation for the field to be case-sensitive (true) or not (false). If the subject part does not match the expected case, the value specified by the Error parameter will display. If the CaseSensitive option is disabled, even if the regular expression contains requirements to enforce case, the case requirement will not be enforced.

Defaults

Body

An array of objects containing the system-wide enrollment pattern default settings. These apply to all enrollments that are not otherwise overridden by individual enrollment pattern settings, including those that do not use an enrollment pattern (e.g. from a standalone CA). Show enrollment pattern default details.

Note: See also the Subject Format application setting, which takes precedence over enrollment defaults at both the system-wide and enrollment pattern level (see Application Settings: Enrollment Tab) but does not apply to enrollment requests done through the Keyfactor API.

Policies

Body

An object containing the system-wide enrollment pattern policy settings. These apply to all enrollments that are not otherwise overridden by individual enrollment pattern settings, including those that do not use an enrollment pattern (e.g. from a standalone CA). Show enrollment pattern policy details.

Name

Description

Allow Key Reuse

A Boolean that indicates whether private key reuse is allowed (true) or not (false). This option applies to certificate renewals.

Allow Wildcards

A Boolean that indicates whether wildcards are allowed (true) or not (false).

RFC Enforcement

A Boolean that indicates whether RFC 2818 compliance enforcement is enabled (true) or not (false). When this option is set to true, certificate enrollments made through Keyfactor Command for this enrollment pattern must include at least one DNS SAN. In the Keyfactor CommandManagement Portal, this causes the following behavior:

PFX Enrollment: The CN entered in PFX enrollment is automatically replicated as a DNS SAN, which the user does not see and cannot change.
CSR Enrollment: For CSR enrollment, if the CSR does not have a SAN that matches the CN, one will automatically be added to the certificate. The user enrolling does not see this and cannot change it.
CSR Generation: The CN entered in CSR generation will be automatically replicated as a DNS SAN and set to read only.

The default is true.

Certificate Owner Role

An integer indicating the certificate owner role setting. The supported values are:

0 - Optional
1 - Required
2 - Hidden

Required is enforced for PFX and CSR enrollment in both the Management Portal and Keyfactor API. Hidden applies to PFX and CSR enrollment in the Management Portal.

Default Certificate Owner Role Id

An integer indicating the Keyfactor Command reference ID of the security role assigned as the default certificate owner for certificates enrolled or imported via synchronization or scanning.

Default Certificate Owner Role Name

A string indicating the name of the security role assigned as the default certificate owner for certificates enrolled or imported via synchronization or scanning.

KeyInfo

An object containing the supported key types along with the bit lengths and/or curves for the key types as appropriate. Show key info details.

Name	Description
ECDSA	An object containing two arrays: bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: An array of strings indicating the elliptic curve algorithms that are supported for enrollment through Keyfactor Command.
RSA	An object containing two arrays: bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.
Ed448	An object containing two arrays: bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.
Ed25519	An object containing two arrays: bit_lengths: An array of integers indicating the key sizes supported for enrollment through Keyfactor Command. curves: There are no curves for this type of key.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Version v25.1

On this page: