The GET /Templates method is used to retrieve one or more templates from Keyfactor Command. Query parameters enable filtering using defined criteria, control over pagination by specifying the page number and return limit, and customization of sorting based on specified fields and order. This method returns HTTP 200 OK on a success with details about the specified templates.
Table 876: GET Templates Input Parameters
| Name | In | Description |
|---|---|---|
| QueryString | Query |
A string containing a query to limit the results (e.g. field1 -eq value1 AND field2 -gt value2). The default is to return all records. Fields available for querying through the API for the most part match those that appear in the Keyfactor Command Management Portal search dropdowns for the same feature. For querying guidelines, refer to: Using the Template Search Feature. The query fields supported for this endpoint are:
Tip: To filter out all the built-in Active Directory templates and display only your custom templates, use the following query:
IsDefaultTemplate -eq "false" To filter out all templates that are not configured for either PFX Enrollment or CSR Enrollment, use the following query: AllowedEnrollmentType -eq "3" A value of 1 will filter out all templates except those configured for PFX Enrollment. A value of 2 will filter out all templates except those configured for CSR Enrollment. |
| PageReturned | Query | An integer that specifies how many multiples of the returnLimit to skip and offset by before returning results, to enable paging. The default is 1. |
| ReturnLimit | Query | An integer that specifies how many results to return per page. The default is 50. Very large values can result in long processing time. |
| SortField | Query | A string containing the property by which the results should be sorted. Fields available for sorting through the API for the most part match those that appear as sortable columns in the Keyfactor Command Management Portal. The default sort field is CommonName. |
| SortAscending | Query | An integer that sets the sort order on the returned results. A value of 0 sorts results in ascending order while a value of 1 sorts results in descending order. The default is ascending. |
Table 877: GET Templates Response Data
| Name | Description |
|---|---|
| Allow One Click Renewals | A Boolean indicating whether One-Click Renewal will be allowed for certificate renewals requested with this template (true) or not (false). To use One-Click Renewal for certificates, the Allow One-Click Renewals option must be enabled in both the certificate templates and CAs to which you want One-Click Renewal to apply (see Certificate Template Operations |
| Allowed Enrollment Types |
An integer indicating the type of enrollment allowed for the certificate template. Note: This parameter is considered deprecated and may be removed in a future release.
|
| Allowed Requesters |
An array of strings containing the list of Keyfactor Command security roles—as strings—that have been granted enroll permission on the template. The Allowed Requesters list at the template level has been replaced by the Associated Roles list at the enrollment pattern level (see POST Enrollment Patterns). Note: This parameter is considered deprecated and may be removed in a future release.
|
| Common Name | A string containing the common name (short name) of the template. This name typically does not contain spaces. For a template created using a Microsoft management tool, this will be the Microsoft template name. For a template generated for an EJBCA CA, this will be built using a naming scheme of <end entity profile name>_<certificate profile name>. This field is populated based on information retrieved from the CA and is not configurable. |
| Configuration Tenant | A string indicating the configuration tenant of the template. For Microsoft templates, this field is populated from Active Directory. For EJBCA templates, this field is populated from the Keyfactor Command CA record. The field is not configurable. |
| Display Name | A string indicating the Keyfactor Command display name of the template. If a template friendly name is configured, this is used as the display name. If not, the template name is used. The display name appears in the dropdowns for PFX enrollment, CSR enrollment, and CSR generation. The display name is a generated field and is not directly configurable. |
| Enrollment Fields |
An object containing custom enrollment fields. This data is configured at the enrollment pattern level (see POST Enrollment Patterns). Note: This parameter is considered deprecated and may be removed in a future release.
|
| Extended Key Usages |
An array of objects containing the extended key usage information for the template. This field is populated from the CA and is not configurable. |
| Forest Root |
A string indicating the forest root of the template. For Microsoft templates, this field is populated from Active Directory and is not configurable. Note: The ForestRoot has been replaced by the ConfigurationTenant from release 10, but is retained for backwards compatibility.
|
| Friendly Name |
A string indicating the Keyfactor Command friendly name of the template. Note: This parameter is considered deprecated and may be removed in a future release.
|
| Id | An integer indicating the ID of the template in Keyfactor Command. |
| Key Archival |
A Boolean indicating whether the template has been configured with the key archival setting in Active Directory (true) or not (false). This is a reference field and is not configurable. |
| Key Retention |
A string indicating the type of key retention certificates enrolled with this template will use to store their private key in Keyfactor Command. |
| Key Retention Days | An integer indicating the number of days a certificate’s private key will be retained in Keyfactor Command before being scheduled for deletion, if private key retention is enabled. |
| Key Usage |
An integer indicating the total key usage of the certificate.
Key usage is stored in Active Directory as a single value made of a combination of values. For example, a value of 160 would represent a key usage of digital signature with key encipherment. A value of 224 would add nonrepudiation to those. |
| KeySize | A string indicating the minimum supported key size of the template as returned by the CA. This value is calculated based on the algorithms provided in the template from the CA (see KeyAlgorithms). The algorithm key types and sizes are evaluated in order (RSA, ECC, Ed448, and Ed25519) and from these, the minimum type and size is determined. For example, if the template supports RSA, Ed448, and Ed25519, the minimum key type will be evaluated to RSA. Then for that algorithm, the minimum key size returned by the CA will be selected (e.g. 2048 if 2048 and 4096 are returned for RSA). See the KeyAlgorithms field for the complete list of supported key sizes and types. The field is not configurable. |
| KeyType | A string indicating the key type of the template as returned by the CA. See details under KeySize. See the KeyAlgorithms field for the complete list of supported key sizes and types. The field is not configurable. |
| KeyTypes | A string containing a comma-delimited list of the key sizes and types supported for the template returned from the CA as they are displayed in the Management Portal templates grid. Possible values include RSA 2048, ECC P-384, Ed25519, and Ed448. |
| Oid | A string containing the object ID of the template in Active Directory. For Microsoft templates, this field is populated from Active Directory. For EJBCA templates, this field is generated within Keyfactor Command as an object identifier, but does not follow official OID conventions. The field is not configurable. |
| Requires Approval |
A Boolean indicating whether the template has been configured with the Microsoft CA certificate manager approval option enabled (true) or not (false). Important: Any templates that are configured on the Microsoft CA Issuance Requirements tab for CA certificate manager approval cannot be used for enrollment and associated alerting in Keyfactor Command without configuring private key retention. Any of the enabled private key retention settings (settings other than none as described for KeyRetention) will allow a template requiring manager approval to work with Keyfactor Command PFX and CSR enrollment.
Figure 622: Microsoft Issuance Requirements on a Template for Manager Approval |
| Template Name | A string containing the name of the template. For a template created using a Microsoft management tool, this will be the Microsoft template display name. For a template generated for an EJBCA CA, this will be built using a naming scheme of <end entity profile name> (<certificate profile name>). This field is populated based on information retrieved from the CA and is not configurable. |
| Template Regexes |
An array of objects containing individual template-level regular expressions against which to validate the subject data. This data is configured at the enrollment pattern level (see POST Enrollment Patterns). Note: This parameter is considered deprecated and may be removed in a future release.
|
| Use Allowed Requesters |
A Boolean that indicates whether the Restrict Allowed Requesters option should be enabled (true) or not (false). The Restrict Allowed Requesters option at the template level has been replaced by the Use AD Permissions option at the enrollment pattern level (see POST Enrollment Patterns). Note: This parameter is considered deprecated and may be removed in a future release.
|
An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (
) at the top of the Management Portal page next to the Log Out button.