Different TLS CA roles can have different restrictions on the certificates that are generated from a CA. For example, one role may be allowed to only issue short lived (short TTL) client certificates, whereas another role may be allowed to issue server certificates for a given domain.
Roles allow for tighter control over which certificates a user or approle is allowed to issue, both in terms of certificate type as well as certificate properties such as TTL
It is recommended that restricted roles are used to limit the exposure. A user or app role should only be given access to a specific role that has been tightly locked down to only allow issuing of certificates with the properties needed for the specific use case. This to limit the chance of unwanted certificates being generated.
Created
Bad Request
Unauthorized
Forbidden
Not Found
Conflict (instance exists)
Service Unavailable (strongbox sealed)
name: cert-signer cert-key-type: ecdsa allowed-hosts: - www.acme.com allowed-domains: - avassa.net ttl: 1y max-ttl: 1y355d digest: sha256 allow-bare-domains: true allow-subdomains: true allow-any-name: true allow-ip-sans: true server-ext-usage: true client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false allow-ca-certs: false allow-client-certs: false allow-server-certs: true distribute: to: inherit
Roles allow for tighter control over which certificates a user or approle is allowed to issue, both in terms of certificate type as well as certificate properties such as TTL
It is recommended that restricted roles are used to limit the exposure. A user or app role should only be given access to a specific role that has been tightly locked down to only allow issuing of certificates with the properties needed for the specific use case. This to limit the chance of unwanted certificates being generated.
| fields | string Retrieve only requested fields from the resource See section fields |
| validate | string <enumeration> Validate the request but do not actually perform the requested operation |
| keys | string <enumeration> Retrieve only the keys for the list |
| count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
- name: cert-signer cert-key-type: ecdsa allowed-hosts: - www.acme.com allowed-domains: - avassa.net ttl: 1y max-ttl: 1y355d digest: sha256 allow-bare-domains: true allow-subdomains: true allow-any-name: true allow-ip-sans: true server-ext-usage: true client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false allow-ca-certs: false allow-client-certs: false allow-server-certs: true distribute: to: inherit
Roles allow for tighter control over which certificates a user or approle is allowed to issue, both in terms of certificate type as well as certificate properties such as TTL
It is recommended that restricted roles are used to limit the exposure. A user or app role should only be given access to a specific role that has been tightly locked down to only allow issuing of certificates with the properties needed for the specific use case. This to limit the chance of unwanted certificates being generated.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: cert-signer cert-key-type: ecdsa allowed-hosts: - www.acme.com allowed-domains: - avassa.net ttl: 1y max-ttl: 1y355d digest: sha256 allow-bare-domains: true allow-subdomains: true allow-any-name: true allow-ip-sans: true server-ext-usage: true client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false allow-ca-certs: false allow-client-certs: false allow-server-certs: true distribute: to: inherit
Roles allow for tighter control over which certificates a user or approle is allowed to issue, both in terms of certificate type as well as certificate properties such as TTL
It is recommended that restricted roles are used to limit the exposure. A user or app role should only be given access to a specific role that has been tightly locked down to only allow issuing of certificates with the properties needed for the specific use case. This to limit the chance of unwanted certificates being generated.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
Roles allow for tighter control over which certificates a user or approle is allowed to issue, both in terms of certificate type as well as certificate properties such as TTL
It is recommended that restricted roles are used to limit the exposure. A user or app role should only be given access to a specific role that has been tightly locked down to only allow issuing of certificates with the properties needed for the specific use case. This to limit the chance of unwanted certificates being generated.
Created
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: cert-signer cert-key-type: ecdsa allowed-hosts: - www.acme.com allowed-domains: - avassa.net ttl: 1y max-ttl: 1y355d digest: sha256 allow-bare-domains: true allow-subdomains: true allow-any-name: true allow-ip-sans: true server-ext-usage: true client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false allow-ca-certs: false allow-client-certs: false allow-server-certs: true distribute: to: inherit
Roles allow for tighter control over which certificates a user or approle is allowed to issue, both in terms of certificate type as well as certificate properties such as TTL
It is recommended that restricted roles are used to limit the exposure. A user or app role should only be given access to a specific role that has been tightly locked down to only allow issuing of certificates with the properties needed for the specific use case. This to limit the chance of unwanted certificates being generated.
| fields | string Retrieve only requested fields from the resource See section fields |
| validate | string <enumeration> Validate the request but do not actually perform the requested operation |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: cert-signer cert-key-type: ecdsa allowed-hosts: - www.acme.com allowed-domains: - avassa.net ttl: 1y max-ttl: 1y355d digest: sha256 allow-bare-domains: true allow-subdomains: true allow-any-name: true allow-ip-sans: true server-ext-usage: true client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false allow-ca-certs: false allow-client-certs: false allow-server-certs: true distribute: to: inherit
Roles allow for tighter control over which certificates a user or approle is allowed to issue, both in terms of certificate type as well as certificate properties such as TTL
It is recommended that restricted roles are used to limit the exposure. A user or app role should only be given access to a specific role that has been tightly locked down to only allow issuing of certificates with the properties needed for the specific use case. This to limit the chance of unwanted certificates being generated.
| fields | string Retrieve only requested fields from the resource See section fields |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
| keys | string <enumeration> Retrieve only the keys for the list |
| count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
- name: cert-signer cert-key-type: ecdsa allowed-hosts: - www.acme.com allowed-domains: - avassa.net ttl: 1y max-ttl: 1y355d digest: sha256 allow-bare-domains: true allow-subdomains: true allow-any-name: true allow-ip-sans: true server-ext-usage: true client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false allow-ca-certs: false allow-client-certs: false allow-server-certs: true distribute: to: inherit distribution-status: to: none
Roles allow for tighter control over which certificates a user or approle is allowed to issue, both in terms of certificate type as well as certificate properties such as TTL
It is recommended that restricted roles are used to limit the exposure. A user or app role should only be given access to a specific role that has been tightly locked down to only allow issuing of certificates with the properties needed for the specific use case. This to limit the chance of unwanted certificates being generated.
| fields | string Retrieve only requested fields from the resource See section fields |
| site | string Send the request to the specfifed site |
| content | string <enumeration> Filter descendant nodes in the response |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
name: cert-signer cert-key-type: ecdsa allowed-hosts: - www.acme.com allowed-domains: - avassa.net ttl: 1y max-ttl: 1y355d digest: sha256 allow-bare-domains: true allow-subdomains: true allow-any-name: true allow-ip-sans: true server-ext-usage: true client-ext-usage: true code-signing-ext-usage: false full-authority-key-identifier: false allow-ca-certs: false allow-client-certs: false allow-server-certs: true distribute: to: inherit distribution-status: to: none
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
offset: 0s
renewed: true activated: false latest-expires-in: 128d active-expires-in: 54d
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
cert: | -----BEGIN CERTIFICATE----- MIICHjCCAcSgAwIBAgITAKs1oS0ybeAUntauysqFuBeQlDAKBggqhkjOPQQDAjBl MRowGAYDVQQDExFBdmFzc2EgQVBJIHJvb3QgMjESMBAGA1UEBxMJU3RvY2tob2xt MQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmli dXRpb24wIhgPMjAyMTEyMjMyMzIwMTNaGA8yMDI3MDUxMTEwMDgxM1owZTEaMBgG A1UEAxMRQXZhc3NhIEFQSSByb290IDIxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkG A1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9u MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzSauslxXPReRGQFzPKPamVN8KPiP h+6PQaTXa5EN0cYukD+VU8Guu9r+k7BBF0t6+kzxJ4v84uGqcS11BrbOPaNPME0w DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwJwYDVR0fBCAwHjAc oBqgGIYWaHR0cDovL2NybC5hdmFzc2EubmV0LzAKBggqhkjOPQQDAgNIADBFAiEA 1zOd7AGv/56MOFYAUa9WqJSBwBwncUkUdRcoMHNw5zoCIGeIgBFg5qxGU4SxwwWV ZQYSJpKqUCz7uo9HvItC3A7S -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICGDCCAb+gAwIBAgISMeZQ4HpjHhrLayS5JedHqb5vMAoGCCqGSM49BAMCMGMx GDAWBgNVBAMTD0F2YXNzYSBBUEkgcm9vdDESMBAGA1UEBxMJU3RvY2tob2xtMQsw CQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmlidXRp b24wIhgPMjAyMTEyMzEwNjMxMTdaGA8yMDI1MDUxMTEwMDcxN1owYzEYMBYGA1UE AxMPQXZhc3NhIEFQSSByb290MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYT AlNFMQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjBZMBMG ByqGSM49AgEGCCqGSM49AwEHA0IABCMdQb+jMkUsk2ZcuvpvsN5teiV5ia/Gsfgx GgQ4qDmBRFxNrfuj34uD8QCTImxijm5zJHaIwYIxQLJ9fi+SJiyjTzBNMA4GA1Ud DwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdHwQgMB4wHKAaoBiG Fmh0dHA6Ly9jcmwuYXZhc3NhLm5ldC8wCgYIKoZIzj0EAwIDRwAwRAIgXHevBN00 3omcAE1ryOvL8NbzpsRFjoAR2SVVj3HT454CIHR7hEVtX/FZ+Qdy7kzz3kArX2H/ 2l/pX1YONDXlyvHM -----END CERTIFICATE-----
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
version: 1 ttl: 15d truncate-ttl: false host: tio.avassa.net public-key: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAprsthcrQ/Ug6leQQAjna QmLN1QDvjPs2wB6BXfwsW+KnMKCAQmv2eKpE2ZmpHoHxyz4JYhFm5vRCbl5AjM+1 m3MvPAEP6LkDKK1blOpOinv21WW1rjC6kC2TEEI54gDMW0XBZqIYJUD7gP02zpNe jsZTELRrD8w55HIAe38doEg+TqEgYo4CIKM/ivh8SXi1alI3N7Gi8K8oKXh8azhY u9FHVig13HSym9E5zreF32CKSiQMS4cyyH1DXAQg/v9X6uBtga1HD33SYeXTNaga 1L6Gn9AcCeBwmcmImTeA49NedAqoLMFZSZlR3C3bsspN0rtWyroO00QpyFqpHMYx GQIDAQAB -----END PUBLIC KEY----- cert-type: server alt-name: - type: DNSName value: foo - type: DNSName value: bar server-ext-usage: true client-ext-usage: true code-signing-ext-usage: true full-authority-key-identifier: false serial-prefix: fe:ed:ba:be
cert: | -----BEGIN CERTIFICATE----- MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38 LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/ HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63 hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3 gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+ BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V -----END CERTIFICATE----- private-key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIOXuM9bGiQDY9UwAY/8RgJqV+5vq8XIURRKkrAWNQuhvoAoGCCqGSM49 AwEHoUQDQgAENBCgxypqoxzHtxQjqVueMP/MrfboR7C0ix/58VYrEmiOjcWjfyrh 5mHkSHhOuWG9Y9kBQEit0HGZqFdwtvofOg== -----END EC PRIVATE KEY----- ca-root: | -----BEGIN CERTIFICATE----- MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38 LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/ HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63 hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3 gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+ BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V -----END CERTIFICATE----- ca-chain: | -----BEGIN CERTIFICATE----- MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38 LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/ HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63 hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3 gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+ BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V -----END CERTIFICATE----- serial: a6:28:9b:66:ab:dc:c1:70:b7:ff:c3:8a:94:79:37:2c:01:76 created: 2022-01-25T09:57:48.000000Z expires: 2022-01-27T09:57:48.000000Z version: 1 ca-cert: | -----BEGIN CERTIFICATE----- MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38 LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/ HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63 hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3 gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+ BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V -----END CERTIFICATE-----
Renews a certificate if needed. The action first verifies that the certificate given as argument is signed by the CA, then examines the expiration time. If the refresh threshold has been reached then a new certificate is generated, together with a new public key.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
version: 1 cert: | -----BEGIN CERTIFICATE----- MIICizCCAjGgAwIBAgITANNt94hZ1dY/yf1V21FDUK6xVzAKBggqhkjOPQQDAjBg MRUwEwYDVQQDEwxpbnRlcm1lZGlhdGUxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkG A1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9u MCIYDzIwMjIwMTEyMDU1MzIxWhgPMjAyMjAxMjcwOTI5MjFaMGIxFzAVBgNVBAMT DnRpby5hdmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNF MQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjBZMBMGByqG SM49AgEGCCqGSM49AwEHA0IABP12drrHCZgUNGKY4+AirpP8Srjtuf2wUYLyOELu 5w+Q4bPBUOBnT0VQ7MJEGH1CS4TdBDZMmc/sC8iS6zqGjaujgcMwgcAwfgYDVR0j BHcwdaFepFwwWjEPMA0GA1UEAxMGQXZhc3NhMRIwEAYDVQQHEwlTdG9ja2hvbG0x CzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1 dGlvboITAN7Ag9ldW5mmpYKFnCWuYLZqaDAjBgNVHREEHDAagg50aW8uYXZhc3Nh Lm5ldIIDZm9vggNiYXIwCwYDVR0PBAQDAgOIMAwGA1UdEwEB/wQCMAAwCgYIKoZI zj0EAwIDSAAwRQIhAPAEa0/l9oOmLfRVKjDVFFcw81q91diNmERB3bOWc6X8AiB5 jYenpXwkbchHtu3etE0/3FzLSVTN453CDVU6gIAtJw== -----END CERTIFICATE----- threshold: 15d ttl: 15d force: true
cert: | -----BEGIN CERTIFICATE----- MIICizCCAjGgAwIBAgITAOlTFCbPxuMxTI7XY0XnZxm6xDAKBggqhkjOPQQDAjBg MRUwEwYDVQQDEwxpbnRlcm1lZGlhdGUxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkG A1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9u MCIYDzIwMjIwMTEyMDU1MzIxWhgPMjAyMjAxMjcwOTI5MjFaMGIxFzAVBgNVBAMT DnRpby5hdmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNF MQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjBZMBMGByqG SM49AgEGCCqGSM49AwEHA0IABJxqeVJyPzB1TIpL6//bWCrrrrk9D3JkGBv4DHEk eBoXgDfV8n8Ni5m5PtazeJE+91WX0yhRCGZVRyohpzbx8+qjgcMwgcAwfgYDVR0j BHcwdaFepFwwWjEPMA0GA1UEAxMGQXZhc3NhMRIwEAYDVQQHEwlTdG9ja2hvbG0x CzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1 dGlvboITAN7Ag9ldW5mmpYKFnCWuYLZqaDAjBgNVHREEHDAagg50aW8uYXZhc3Nh Lm5ldIIDZm9vggNiYXIwCwYDVR0PBAQDAgOIMAwGA1UdEwEB/wQCMAAwCgYIKoZI zj0EAwIDSAAwRQIgWgpHPxZ5Y/U1a2jlMqyojqy0ux5T9a15gc1BXmj3MegCIQD8 Lxclz6XhhIsMoOpBTX45gFMJmhDOisflmcsCumup9A== -----END CERTIFICATE----- private-key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIA69qgOw6+y/6aDASXFWtK17P98TvTlKcWZ3H5IZKDF4oAoGCCqGSM49 AwEHoUQDQgAEnGp5UnI/MHVMikvr/9tYKuuuuT0PcmQYG/gMcSR4GheAN9Xyfw2L mbk+1rN4kT73VZfTKFEIZlVHKiGnNvHz6g== -----END EC PRIVATE KEY----- serial: e9:53:14:26:cf:c6:e3:31:4c:8e:d7:63:45:e7:67:19:ba:c4 expires: 2022-01-27T09:29:21.000000Z
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
version: 1 serial: 02:59:cd:ba:9a:c3:7b:81:ad:d4:8b:be:35:f1:e3:10:a1:fa revoke-time: 2023-01-12T09:27:23.000000Z reason: keyCompromise
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
ttl: 1y
ca-cert: | -----BEGIN CERTIFICATE----- MIICHTCCAcOgAwIBAgISWNECRJYLYnewT+3Ujk574sRJMAoGCCqGSM49BAMCMGUx GjAYBgNVBAMTEUF2YXNzYSBBUEkgcm9vdCAyMRIwEAYDVQQHEwlTdG9ja2hvbG0x CzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1 dGlvbjAiGA8yMDIyMDEwODE4NDk1NFoYDzIwMjMwMTEyMTAyNTU0WjBlMRowGAYD VQQDExFBdmFzc2EgQVBJIHJvb3QgMjESMBAGA1UEBxMJU3RvY2tob2xtMQswCQYD VQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmlidXRpb24w WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASvGeQvFMppCCzWIuoC9aLlPa+LMFec pPcRKkPxNKnFgfxxQkj8BxHFK983DkQPRN8DqLTnVu9PlbHF9vafoCZEo08wTTAO BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATAnBgNVHR8EIDAeMByg GqAYhhZodHRwOi8vY3JsLmF2YXNzYS5uZXQvMAoGCCqGSM49BAMCA0gAMEUCIQCn rmajChgRM8BwDUr205011d/ra3spqDQqz+z32DjZEwIgNJp+7hOxQxUwejpDamRW BcbypHLoQkU/SCFeASg47vs= -----END CERTIFICATE----- expires: 2023-01-12T10:25:54.000000Z version: 2