Dictionaries

Here is the list of available dictionary keys to use in computation rules, depending on the usage.

In notifications

Certificate dictionary

This dictionary is available for notifications on the following events:

  • on_enroll

  • on_revoke

  • on_update

  • on_recover

  • on_migrate

  • on_expire

  • on_renew

Key Description Type Available in Computation Rule

certificate.id

Horizon Id of the certificate

Single value

Yes

certificate.module

Module of the certificate

Single value

Yes

certificate.not_after

Expiration date of the certificate

Single value

Yes

certificate.not_before

Start date of the certificate

Single value

Yes

certificate.serial

Serial number of the certificate

Single value

Yes

certificate.thumbprint

Thumbprint of the certificate

Single value

Yes

certificate.public_key_thumbprint

Thumbprint of the public key of the certificate

Single value

Yes

certificate.revoked

true if the certificate is revoked, false otherwise

Single value

Yes

certificate.key_type

Key Type of the certificate

Single value

Yes

certificate.signing_algorithm

Signing Algorithm of the certificate

Single value

Yes

certificate.holder_id

Holder Id of the certificate

Single value

Yes

certificate.friendly_name

Friendly name of the certificate

Single value

Yes

certificate.pem

PEM Encoded certificate

Single value

Yes

certificate.profile

The profile of the certificate

Single value

Yes

certificate.revocation_date

The revocation date of the certificate

Single value

Yes

certificate.revocation_reason

The revocation reason of the certificate

Single value

Yes

certificate.dn

The Distinguished Name of the certificate

Single value

No

certificate.sans

All the SANs of the certificate, in <type>: <value> comma separated format

Single value

No

certificate.extensions

All the extensions of the certificate, in <type>: <value> comma separated format

Single value

No

certificate.metadata

All the metadata of the certificate, in <type>: <value> comma separated format

Single value

No

certificate.labels

All the labels of the certificate, in <name>: <value> comma separated format

Single value

No

certificate.metadata.<metadata name>

The value of metadata metadata name defined in the certificate

Single value

Yes

certificate.subject

The values of the certificate subject

Subject dictionary

Yes

certificate.san

The values of the certificate sans

Sans dictionary

Yes

certificate.extension

The values of the certificate extensions

Extensions dictionary

Yes

certificate.label

The values of the certificate label

Labels dictionary

Yes

Request dictionary

This dictionary is available for notifications on the following events:

  • on_submit_enroll

  • on_cancel_enroll

  • on_approve_enroll

  • on_deny_enroll

  • on_pending_enroll

  • on_submit_revoke

  • on_cancel_revoke

  • on_approve_revoke

  • on_deny_revoke

  • on_pending_revoke

  • on_submit_update

  • on_cancel_update

  • on_approve_update

  • on_deny_update

  • on_pending_update

  • on_submit_recover

  • on_cancel_recover

  • on_approve_recover

  • on_deny_recover

  • on_pending_recover

  • on_submit_migrate

  • on_cancel_migrate

  • on_approve_migrate

  • on_deny_migrate

  • on_pending_migrate

  • on_submit_renew

  • on_cancel_renew

  • on_approve_renew

  • on_deny_renew

  • on_pending_renew

Key Description Type Available in Computation Rule

request.id

Horizon Id of the request

Single value

Yes

request.workflow

Workflow of the request

Single value

Yes

request.module

Module of the request

Single value

Yes

request.status

Status of the request

Single value

Yes

request.profile

Profile of the request

Single value

Yes

request.requester

Requester of the request

Single value

Yes

request.approver

Approver of the request

Single value

Yes

request.requester_comment

Comment of the requester

Single value

Yes

request.approver_comment

Comment of the approver

Single value

Yes

request.registration_date

Registration date of the request

Single value

Yes

request.last_modification_date

Last modification date of the request

Single value

Yes

request.password

PKCS#12 password or challenge value of the request

Single value

Yes

request.team

Team owning the request

Single value

Yes

request.my.url

Generates the link to access the request in the 'My Requests' drawer. Should be used after specifying the hostname without trailing slash: https://horizon.fr{{request.my.url}}

Single value

No

request.manage.url

Generates the link to access the request in the 'Manage Requests' drawer. Should be used after specifying the hostname without trailing slash: https://horizon.fr{{request.my.url}}

Single value

No

request.dn

The Distinguished Name of the request

Single value

No

request.sans

All the SANs of the request, in <type>: <value> comma separated format

Single value

No

request.extensions

All the extensions of the request, in <type>: <value> comma separated format

Single value

No

request.metadata

All the metadata of the request, in <type>: <value> comma separated format

Single value

No

request.labels

All the labels of the request, in <name>: <value> comma separated format

Single value

No

request.subject

The values of the request subject

Subject dictionary

Yes

request.san

The values of the request sans

Sans dictionary

Yes

request.extension

The values of the request extensions

Extensions dictionary

Yes

request.label

The values of the request label

Labels dictionary

Yes

request.metadata.<metadata name>

The value of metadata metadata name defined in the request

Single value

Yes

request.certificate

The value of the certificate contained in the request

Certificate Dictionary

Yes

Previous Certificate dictionary

This dictionary is available for notifications on the following events:

  • on_renew

Key Description Type Available in Computation Rule

previous.certificate

The value of the certificate that is being renewed

Certificate dictionary

Yes

Credentials dictionary

This dictionary is available for notifications on the on_credentials_expiration event.

Key Description Type Available in Computation Rule

credentials.name

Name of the credentials

Single value

Yes

credentials.description

Description of the credentials

Single value

Yes

credentials.type

Type of the credentials

Single value

Yes

credentials.expiration_date

Expiration date of the credentials

Single value

Yes

Profile dictionary

Key Description Type Available in Computation Rule

profile.name

Technical name of the profile

Single value

Yes

profile.module

Module of the profile

Single value

Yes

profile.displaynames

Display names of the profile in <lang>: <value> comma separated format

Single value

No

profile.descriptions

Descriptions of the profile in <lang>: <value> comma separated format

Single value

No

profile.<name>.displayname.<lang>

Display name of the profile in <lang> (two letter identifier) language

Single value

No

profile.<name>.description.<lang>

Description of the profile in <lang> (two letter identifier) language

Single value

No

License dictionary

This dictionary is available for notifications on the on_license_expiration and on_license_usage event.

Key Description Type Available in Computation Rule

license.expiration_date

Expiration date of the license

Single value

Yes

license.used

Number of holders on the license (only available on on_license_usage event)

Single value

Yes

license.percent_used

Percent of the license used (only available on on_license_usage event)

Single value

Yes

Failed trigger dictionary

This dictionary is available for notifications on the on_trigger_error event.

Key Description Type

trigger.name

Name of the trigger

Single value

trigger.event

Event on which the trigger was run

Single value

trigger.lastExecutionDate

Last execution date of the trigger

Single value

trigger.status

Status of the trigger

Single value

trigger.retryable

true if the trigger is retryable, false otherwise

Single value

trigger.type

Type of the trigger

Single value

trigger.retries

Number of remaining retries

Single value

trigger.nextExecutionDate

Date at which the trigger will be rerun

Single value

trigger.nextDelay

Delay between the current and next iteration

Single value

trigger.detail

Details about the failure

Single value

In profile

The following dictionaries are available in a certificate template in profile configuration, for auto validation and datasource flow configuration.

General

The dictionary keys listed here are available in all protocols.

All indexes start at 1.

Principal

This dictionary regroups the information of the user making the request, the 'principal'.

Key Description Type

principal.identifier

The identifier of the user

Single value

principal.team

The teams of the user

Multi valued

principal.team.<index>

The team at index index

Single value

principal.name

The name of the user

Single value

principal.mail

The email of the user

Single value

principal.provider.name

The name of the identity provider of the principal

Single value

principal.certificate.subject

The values of the principal certificate subject

Subject dictionary

principal.certificate.san

The values of the principal certificate sans

Sans dictionary

principal.certificate.extension

The values of the principal certificate extensions

Extensions dictionary

CSR

This dictionary regroups the information of the csr used for enrollment. It can be sent via a client (horizon-cli, estclient, sscep) or via web interfaces with WebRA protocol.

This only concerns decentralized enrollment.
Key Description Type

csr.subject

The values of the csr subject

Subject dictionary

csr.san

The values of the csr sans

Sans dictionary

csr.extension

The values of the csr extensions

Extensions dictionary

HTTP Request

This dictionary regroups the information of the http request that initiated the enrollment.

Key Description Type

http.request.ip

The IP from which the request originated

Single value

http.request.method

The HTTP method used by the request

Single value

http.request.path

The path requested

Single value

http.request.host

The host requested

Single value

http.request.header.<header name>

Value of the <header name> header

Multi value

WebRA

Enrollment request

Certificate fields can be filled by the user on Horizon interface. This information is available through the following dictionary.

Key Description Type

webra.enroll.subject

The values of the subject defined in the challenge request

Subject dictionary

webra.enroll.san

The values of the sans defined in the challenge request

Sans dictionary

webra.enroll.extension

The values of the extensions defined in the challenge request

Extensions dictionary

webra.enroll.label.<label name>

The value of label label name defined in the challenge request

Single value

webra.enroll.metadata.<metadata name>

The value of metadata metadata name defined in the challenge request

Single value

webra.enroll.mail

The value of the contact email defined in the challenge request

Single value

webra.enroll.owner

The value of the owner defined in the challenge request

Single value

webra.enroll.team

The value of the team defined in the challenge request

Single value

EST

Enrollment request

In case of a prevalidated enroll, certificate fields can be filled by the user on Horizon interface. This information is available through the following dictionary.

Key Description Type

est.enroll.subject

The values of the subject defined in the challenge request

Subject dictionary

est.enroll.san

The values of the sans defined in the challenge request

Sans dictionary

est.enroll.extension

The values of the extensions defined in the challenge request

Extensions dictionary

est.enroll.label.<label name>

The value of label label name defined in the challenge request

Single value

est.enroll.metadata.<metadata name>

The value of metadata metadata name defined in the challenge request

Single value

est.enroll.mail

The value of the contact email defined in the challenge request

Single value

est.enroll.owner

The value of the owner defined in the challenge request

Single value

est.enroll.team

The value of the team defined in the challenge request

Single value

Url passed parameters

Horizon allows the use of url parameters to pass certificate metadata info. These are notably used by the horizon-cli client.

Key Description Type

url.enroll.label.<label name>

The value of label label name passed in the url

Single value

url.enroll.metadata.<metadata name>

The value of metadata metadata name passed in the url

Single value

url.enroll.mail

The value of the contact email passed in the url

Single value

url.enroll.owner

The value of the owner passed in the url

Single value

url.enroll.team

The value of the team passed in the url

Single value

SCEP

Enrollment request

In case of a prevalidated enroll, certificate fields can be filled by the user on Horizon interface. This information is available through the following dictionary.

Key Description Type

scep.enroll.subject

The values of the subject defined in the challenge request

Subject dictionary

scep.enroll.san

The values of the sans defined in the challenge request

Sans dictionary

scep.enroll.extension

The values of the extensions defined in the challenge request

Extensions dictionary

scep.enroll.label.<label name>

The value of label label name defined in the challenge request

Single value

scep.enroll.metadata.<metadata name>

The value of metadata metadata name defined in the challenge request

Single value

scep.enroll.mail

The value of the contact email defined in the challenge request

Single value

scep.enroll.owner

The value of the owner defined in the challenge request

Single value

scep.enroll.team

The value of the team defined in the challenge request

Single value

Url passed parameters

Horizon allows the use of url parameters to pass certificate metadata info. These are notably used by the horizon-cli client.

Key Description Type

url.enroll.label.<label name>

The value of label label name passed in the url

Single value

url.enroll.metadata.<metadata name>

The value of metadata metadata name passed in the url

Single value

url.enroll.mail

The value of the contact email passed in the url

Single value

url.enroll.owner

The value of the owner passed in the url

Single value

url.enroll.team

The value of the team passed in the url

Single value

ACME

Order

This dictionary regroups the information of the acme order used for enrollment.

Key Description Type

acme.order.initialip

The initial IP of the acme order

Single value

acme.order.label.<label name>

The value of label label name

Single value

acme.order.metadata.<metadata name>

The value of metadata metadata name

Single value

acme.order.mail

The value of the contact email of the acme order

Single value

acme.order.owner

The value of the owner of the acme order

Single value

acme.order.team

The value of the team of the acme order

Single value

Account

This dictionary regroups the information of the acme account used for enrollment.

Key Description Type

acme.account.initialip

The initial IP of the acme account

Single value

acme.account.contact.<index>

The value of contact email address of the account at index index

Single value

CRMP

Enrollment request

Certificate fields can be filled by the user on CMS interface. This information is available through the following dictionary.

Key Description Type

crmp.enroll.subject

The values of the subject defined in the challenge request

Subject dictionary

crmp.enroll.san

The values of the sans defined in the challenge request

Sans dictionary

crmp.enroll.extension

The values of the extensions defined in the challenge request

Extensions dictionary

crmp.enroll.label.<label name>

The value of label label name defined in the challenge request

Single value

crmp.enroll.metadata.<metadata name>

The value of metadata metadata name defined in the challenge request

Single value

crmp.enroll.mail

The value of the contact email defined in the challenge request

Single value

crmp.enroll.owner

The value of the owner defined in the challenge request

Single value

crmp.enroll.team

The value of the team defined in the challenge request

Single value

WCCE

Caller identity

The information of the caller identity in a WCCE enroll.

Key Description Type

calleridentity.dn

The dn of the caller identity

Single value

calleridentity.subject

The dn of the caller identity, splitted in adressable form

Subject dictionary

calleridentity.cn

The cn of the caller identity

Single value

calleridentity.msguid

The guid of the caller identity

Single value

calleridentity.msupn

The upn of the caller identity

Single value

calleridentity.c

The country of the caller identity

Single value

calleridentity.company

The company of the caller identity

Single value

calleridentity.department

The department of the caller identity

Single value

calleridentity.description

The description of the caller identity

Single value

calleridentity.displayname

The display name of the caller identity

Single value

calleridentity.dnshostname

The dns host name of the caller identity

Single value

calleridentity.employeeid

The employee id of the caller identity

Single value

calleridentity.employeenumber

The employee number of the caller identity

Single value

calleridentity.mail

The email of the caller identity

Single value

calleridentity.o

The organization of the caller identity

Single value

calleridentity.ou

The OU of the caller identity

Single value

calleridentity.samaccountname

The sam account name of the caller identity

Single value

calleridentity.serialnumber

The serial number of the caller identity

Single value

calleridentity.sn

The sn of the caller identity

Single value

calleridentity.title

The title of the caller identity

Single value

calleridentity.uid

The uid of the caller identity

Single value

calleridentity.sid

The sid of the caller identity

Single value

Sub dictionaries

These dictionary cannot be used alone but can be completed with one of the other ones. For example, a valid key is:

principal.certificate.subject.cn.1

Subject dictionary

Key Description Type

subject.<dn field type>

All values of subject field of type dn field type

Multi valued

subject.<dn field type>.<index>

Value of subject field of type dn field type at index index

Single value
The valid dn field types are: cn, uid, serialnumber, surname, givenname, unstructuredaddress, unstructuredname, e, ou, organizationidentifier, uniqueidentifier, street, st, l, o, c, description, dc.

Sans dictionary

Key Description Type

san.<san field type>

All values of san fields of type san field type

Multi valued

san.<san field type>.<index>

Value of subject field of type san field type at index index

Single value
The valid san field types are: rfc822name, dnsname, uri, ipaddress, othername_upn, othername_guid.

Extensions dictionary

Key Description Type

extension.<extension type>

Value of extension of type extension type

Single value
The valid extension types are: ms_sid, ms_template.

Labels dictionary

Key Description Type Available in Computation Rule

label.<name>

Value of the <name> label

Single value

Yes

label.<name>.displaynames

Display names of the label in <lang>: <value> comma separated format

Single value

No

label.<name>.descriptions

Descriptions of the label in <lang>: <value> comma separated format

Single value

No

label.<name>.displayname.<lang>

Display name of the label in <lang> (two letter identifier) language

Single value

No

label.<name>.description.<lang>

Description of the label in <lang> (two letter identifier) language

Single value

No
The valid extension types are: ms_sid, ms_template.