Difference between revisions of "CA REST API"

From Dogtag
Jump to: navigation, search
(References)
(Example Requests)
 
Line 216: Line 216:
  
 
'''Note:''' Use ''-k'' if the CA chain is not imported system-wide
 
'''Note:''' Use ''-k'' if the CA chain is not imported system-wide
 +
 +
[GET] You can also pass a PKCS12 file to curl:
 +
$ curl -k --cert-type P12 --cert ~/.dogtag/pki-tomcat/ca_admin_cert.p12:<password> https://<host>:8443/ca/rest/agent/certrequests
  
 
== Using Postman ==
 
== Using Postman ==

Latest revision as of 15:11, 2 July 2020

CA REST API

See CAApplication.

Certificates

See CertResource.

Listing certificates

  • Operation: GET /ca/rest/certs
  • Query Parameters:
    • status: string
    • maxResults: integer
    • maxTime: integer
    • start: integer
    • size: integer
  • Request: none
  • Response: CertDataInfos

Searching certificates

Retrieving a certificate

  • Operation: GET /ca/rest/certs/{id}
  • Query Parameters:
    • id: dec/hex serial number
  • Request: none
  • Response: CertData

Reviewing a certificate

  • Operation: GET /ca/rest/agent/certs/{id}
  • Query Parameters:
    • id: dec/hex serial number
  • Request: none
  • Response: CertData

Revoking a CA certificate

Revoking a certificate

Unrevoking a certificate

  • Operation: POST /ca/rest/agent/certs/{id}/unrevoke
  • Query Parameters:
    • id: dec/hex serial number
  • Request: none
  • Response: CertRequestInfo

Certificate Request Templates

Listing certificate request templates

  • Operation: GET /ca/rest/certrequests/profiles
  • Query Parameters:
    • start: integer
    • size: integer
  • Request: none
  • Response: ProfileDataInfos

Retrieving a certificate request template

  • Operation: GET /ca/rest/certrequests/profiles/{id}
  • Query Parameters:
    • id: integer
  • Request: none
  • Response: CertEnrollmentRequest

Certificate Requests

See CertRequestResource.

Listing certificate requests

  • Operation: GET /ca/rest/agent/certrequests
  • Authentication: client certificate
  • Query Parameters:
    • requestState: string
    • requestType: string
    • start: dec/hex request ID
    • pageSize: integer
    • maxResults: integer
    • maxTime: integer
  • Request: none
  • Response: CertRequestInfos

Retrieving a certificate request

  • Operation: GET /ca/rest/certrequests/{id}
  • Query Parameters:
    • id: dec/hex request ID
  • Request: none
  • Response: CertRequestInfo

Submitting a certificate request

The issuer-id and issuer-dn are optional and mutually-exclusive parameters to specify the (lightweight) CA which will issue the certificate. By default the request will be issued by the primary/host CA. See also PKI CA Authority CLI, PKI Certificate CLI, and PKI Client CLI.

Code example:

Reviewing a certificate request

  • Operation: GET /ca/rest/agent/certrequests/{id}
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: none
  • Response: CertReviewResponse

Approving a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/approve
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Rejecting a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/reject
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Canceling a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/cancel
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Updating a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/update
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Validating a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/validate
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Assigning a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/assign
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Unassigning a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/unassign
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Example Requests

Client cert and key extraction

For operations that require "client certificate" authentication, extract the cert and key from P12 to PEM file

$ openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out file.crt.pem -clcerts -nokeys
$ openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out file.key.pem -nocerts -nodes

Using curl

[GET] To list all cert requests pass both the cert and key as params to curl:

$ curl -v -k -E file.crt.pem --key file.key.pem https://<host>:8443/ca/rest/agent/certrequests


Note: Use -k if the CA chain is not imported system-wide

[GET] You can also pass a PKCS12 file to curl:

$ curl -k --cert-type P12 --cert ~/.dogtag/pki-tomcat/ca_admin_cert.p12:<password> https://<host>:8443/ca/rest/agent/certrequests

Using Postman

Go to File -> Settings -> Certificates (tab) -> (Under Client Certificates) Add Certificate -> Select cert and key

Note: Make sure to provide the correct hostname and port to ensure that the credentials are pinned with the request.

References