...
| Method | Endpoint | Parameter | Returned values | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Name | Is required? | Transfer method | Description | Name | Always returned? | Transfer method | Description | ||||
| GET | /v1/certificate/{caName} | CA name | Yes | Path parameter | Name of Certificate Authority which should sign sent CSR. Must match CertService's CMPv2 servers configuration. | Error message | No, only if error occurred on server side | Body (JSON) | Verbose information what wrong happened on server side. | ||
| Base64 encoded CSR (Certificate Signing Request) | Yes | Header | Certificate Signing Request for given component | Certificate chain | YesNo, only in success case. | Body (JSON) | Base64 encoded  signed certificate with whole certificate chain (intermediate CA certificates). Signed certificate should be returned first and then all intermediate certificates in following order: singer of previous certificate till certificate which is signed by root CA. | ||||
| Base64 encoded CSR (Certificate Signing Request)private key | Yes | Header | Certificate Signing Request for given componentPrivate key. Needed to create proof of possession (PoP) | Trusted certificates | YesNo, only in success case. | Body (JSON) | Base64 encoded list of trusted certificates. In other words list of root CAs which should be treated as trust anchors. Must contain root CA which was used to sign certificate and may contain other root CAs. Order doesn't matter. | Base64 encoded private key | Yes | Header | Private key. Needed to create proof of possession (PoP). Order doesn't matter. |
Return HTTP codes:
| HTTP code | Description |
|---|---|
| 200 (OK) | Everything is ok. Certificate chain and trusted certificates returned |
| 400 (Bad Request) | Incorrect/missing CSR and/or private key |
| 401 (Unauthorized) | Missing client certificate or presented certificate is not trusted |
| 404 (Not found) | Invalid CA name in REST API call or wrong endpoint called |
| 500 (Internal Server Error) | In case of exception on server side. |
...
| Input value | Input type | Description | Usage |
|---|---|---|---|
| CsrModel | Object | POJO which transfers sent CSR, plain fields extracted from CSR (like Common Name, Country, etc) | |
| CsrModel:: csr | org.bouncycastle.pkcs.PKCS10CertificationRequest | Certificate Signing Request received via REST API | |
| CsrModel:: subjectDN | org.bouncycastle.asn1.x500.X500Name | SubjectDN retrieved from sent CSR | |
| CsrModel:: privateKey | Either org.bouncycastle.util.io.pem.PemObject or java.security.PrivateKey | Private key received via REST API | |
| CsrModel:: publicKey | Either org.bouncycastle.util.io.pem.PemObject or java.security.PublicKey | Public key retrieved from sent CSR | |
| CsrModel:: |  Others (plain data extracted from sent CSR) if needed | | |
| CMPv2ServerDetails | Object | POJO which transfers CMPv2 server properties | |
| CMPv2ServerDetails:: CA name | String | CA name as configured in CMPv2 server properties | |
| CMPv2ServerDetails:: URL | URL or String | URL to CMPv2 server as configured in CMPv2 server details | |
| CMPv2ServerDetails:: IssuerDN | org.bouncycastle.asn1.x500.X500Name | Issuer DN as configured in CMPv2 server details | |
| CMPv2ServerDetails:: CA mode | ENUM | CA mode as configured in CMPv2 server details | |
| CMPv2ServerDetails:: IAK | String | IAK as configured in CMPv2 server details | |
| CMPv2ServerDetails:: RV | String | RV as configured in CMPv2 server details | |
| CA name | String | CA name received via REST API |
...
Run CertService as docker via following command: TBA
| Code Block |
|---|
docker run -it -p 8080:8080/tcp $CONTAINER_IMAGE --name cert-service $IMAGE_NAME |
Kubernetes
For Kubernetes helm chart is provided. Just fill in all overwrite needed values and deploy helm chart using following command: TBA
...