Difference between revisions of "CA REST API"

From Dogtag
Jump to: navigation, search
m (References)
(References)
Line 199: Line 199:
 
* Request: [https://github.com/dogtagpki/pki/blob/master/base/common/src/com/netscape/certsrv/cert/CertReviewResponse.java CertReviewResponse]
 
* Request: [https://github.com/dogtagpki/pki/blob/master/base/common/src/com/netscape/certsrv/cert/CertReviewResponse.java CertReviewResponse]
 
* Response: none
 
* Response: none
 +
 +
= Example Requests =
 +
 +
== Client cert and key extraction ==
 +
 +
For operations that require "client certificate" authentication, extract the cert and key from P12 to PEM file
 +
 +
$ openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out file.crt.pem -clcerts -nokeys
 +
$ openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out file.key.pem -nocerts -nodes
 +
 +
== Using curl ==
 +
 +
[GET] To list all cert requests pass both the cert and key as params to curl:
 +
$ curl -v -k -E file.crt.pem --key file.key.pem https://<host>:8443/ca/rest/agent/certrequests
 +
 +
 +
'''Note:''' Use ''-k'' if the CA chain is not imported system-wide
 +
 +
== Using Postman ==
 +
 +
Go to '''File -> Settings -> Certificates (tab) -> (Under Client Certificates) Add Certificate -> Select cert and key'''
 +
 +
'''Note:''' Make sure to provide the correct ''hostname'' and ''port'' to ensure that the credentials are pinned with the request.
  
 
= References =
 
= References =
Line 205: Line 228:
 
* [[Subsystem REST API]]
 
* [[Subsystem REST API]]
 
* [[CA Client Java API]]
 
* [[CA Client Java API]]
 +
* [https://learning.postman.com/docs/postman/sending-api-requests/certificates/ Postman Configure Client Certificate]

Revision as of 14:42, 29 June 2020

CA REST API

See CAApplication.

Certificates

See CertResource.

Listing certificates

  • Operation: GET /ca/rest/certs
  • Query Parameters:
    • status: string
    • maxResults: integer
    • maxTime: integer
    • start: integer
    • size: integer
  • Request: none
  • Response: CertDataInfos

Searching certificates

Retrieving a certificate

  • Operation: GET /ca/rest/certs/{id}
  • Query Parameters:
    • id: dec/hex serial number
  • Request: none
  • Response: CertData

Reviewing a certificate

  • Operation: GET /ca/rest/agent/certs/{id}
  • Query Parameters:
    • id: dec/hex serial number
  • Request: none
  • Response: CertData

Revoking a CA certificate

Revoking a certificate

Unrevoking a certificate

  • Operation: POST /ca/rest/agent/certs/{id}/unrevoke
  • Query Parameters:
    • id: dec/hex serial number
  • Request: none
  • Response: CertRequestInfo

Certificate Request Templates

Listing certificate request templates

  • Operation: GET /ca/rest/certrequests/profiles
  • Query Parameters:
    • start: integer
    • size: integer
  • Request: none
  • Response: ProfileDataInfos

Retrieving a certificate request template

  • Operation: GET /ca/rest/certrequests/profiles/{id}
  • Query Parameters:
    • id: integer
  • Request: none
  • Response: CertEnrollmentRequest

Certificate Requests

See CertRequestResource.

Listing certificate requests

  • Operation: GET /ca/rest/agent/certrequests
  • Authentication: client certificate
  • Query Parameters:
    • requestState: string
    • requestType: string
    • start: dec/hex request ID
    • pageSize: integer
    • maxResults: integer
    • maxTime: integer
  • Request: none
  • Response: CertRequestInfos

Retrieving a certificate request

  • Operation: GET /ca/rest/certrequests/{id}
  • Query Parameters:
    • id: dec/hex request ID
  • Request: none
  • Response: CertRequestInfo

Submitting a certificate request

The issuer-id and issuer-dn are optional and mutually-exclusive parameters to specify the (lightweight) CA which will issue the certificate. By default the request will be issued by the primary/host CA. See also PKI CA Authority CLI, PKI Certificate CLI, and PKI Client CLI.

Code example:

Reviewing a certificate request

  • Operation: GET /ca/rest/agent/certrequests/{id}
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: none
  • Response: CertReviewResponse

Approving a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/approve
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Rejecting a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/reject
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Canceling a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/cancel
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Updating a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/update
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Validating a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/validate
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Assigning a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/assign
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Unassigning a certificate request

  • Operation: POST /ca/rest/agent/certrequests/{id}/unassign
  • Authentication: client certificate
  • Query Parameters:
    • id: dec/hex request ID
  • Request: CertReviewResponse
  • Response: none

Example Requests

Client cert and key extraction

For operations that require "client certificate" authentication, extract the cert and key from P12 to PEM file

$ openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out file.crt.pem -clcerts -nokeys
$ openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out file.key.pem -nocerts -nodes

Using curl

[GET] To list all cert requests pass both the cert and key as params to curl:

$ curl -v -k -E file.crt.pem --key file.key.pem https://<host>:8443/ca/rest/agent/certrequests


Note: Use -k if the CA chain is not imported system-wide

Using Postman

Go to File -> Settings -> Certificates (tab) -> (Under Client Certificates) Add Certificate -> Select cert and key

Note: Make sure to provide the correct hostname and port to ensure that the credentials are pinned with the request.

References