...
Method | Endpoint | Parameter | Returned values | ||||||
---|---|---|---|---|---|---|---|---|---|
Name | Is required? | Transfer method | Description | Name | Always returned? | Transfer method | Description | ||
GET | /v1/certificate/{caName} | CA name | Yes | Path parameter | Name of Certificate Authority which should sign sent CSR. Must match CertService's CMPv2 servers configuration. | Error message | No, only if error occurred on server side | Body (JSON) | Verbose information what wrong happened on server side. |
Base64 encoded CSR (Certificate Signing Request) in PEM format | Yes | Header | Certificate Signing Request for given component | Certificate chain | No, only in success case. | Body (JSON) | Base64 encoded | ||
Base64 encoded private key in PEM format | Yes | Header | Private key. Needed to create proof of possession (PoP) | Trusted certificates | No, only in success case. | Body (JSON) | Base64 encoded |
...
HTTP code | Description |
---|---|
200 (OK) | Everything is ok. Certificate chain and trusted certificates returned |
400 (Bad Request) | Incorrect/missing CSR and/or private key |
401 (Unauthorized) | Missing client certificate or presented certificate is not trusted |
404 (Not found) | Invalid CA name in REST API call or wrong endpoint called |
500 (Internal Server Error) | In case of exception on server side. |
OpenAPI
View file | ||||
---|---|---|---|---|
|
CMPv2 server properties
CertService contains configuration of CMPv2 servers. To enroll certificate at least one CMPv2 server has to be configured. CMPv2 servers configuration is read during CertService startup and to take runtime changes into account CertService's refresh configuration endpoint has to be called.
...
Relevant values in Initialization Request (IR) message sent to CMPv2 server:
Value | Description | Information Included |
---|---|---|
PKIHeader | Contains information common to many PKI messages. | SenderDN IssuerDN ProtectionAlgorithm (used for PkiProtection below) |
PKIBody | Contains message-specific information ie. initialization request message | CertificateRequestMessage, which includes: SubjectDN IssuerDN SubjectPublicKey |
PKIProtection | Contains bits that protect PKImessage (Specifically the iak/rv) |
Return values from CMPv2 client
Following table represents return values from CMPv2 client.
Output value | Output type | Description |
---|---|---|
certificateChain | List <java.security.cert.X509Certificate> | Enrolled certificate with full certificate chain (all certificates of intermediate CAs), without root CA |
trustedCerts | List <java.security.cert.X509Certificate> | All trusted certificates returned from CMPv2 server, including root CA |
Test code for running cmpv2 client against EJBCA server through unit test
...