TLS CAs

A TLS CA is used for generating certificates, client, server and ca. These are the common parameters for the CA. The CA role place some restrictions on the certificates that can be generated from the CA.

Create a new tls ca

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
One of:
pathlen-constraint
integer <uint32>

If configured, set the pathlen option extension in the certificates. The pathlen extension controls the maximum length of chain certificates that may occur from a root certificates.

ttl
string <duration>
Default: "365d"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of the generated ca certificate. It is used when generating ca certificates.

cert-key-type
string <cipher-key-type>
Default: "ecdsa"
  • ecdsa: Elliptic Curve Digital Signature Algorithm
  • rsa: Rivest-Shamir-Adleman public-key cryptosystem
cert-key-curve
string <cipher-key-curve>
Default: "secp256r1"
  • secp256r1
  • secp384r1
  • secp521r1 Elliptic curve ciphers.

Valid when: ../cert-key-type = 'ecdsa'

cert-key-size
integer <uint32>
Default: 2048

Valid when: ../cert-key-type = 'rsa'

subject
string
Default: "Avassa"

Subject of generated CA root certificate. Only used when no ca-cert is supplied.

crl-dist-url
string

URL of CRL distribution point. It is generated into the CA certificate

issuing-ca
string

If this CA cert should be an intermediate cert then an issuing-ca should be specified. The issuing-ca must be a name of an existing CA that can issue a CA certificate.

digest
string <digest-type>
Default: "sha256"
  • sha1
  • sha224
  • sha256
  • sha384
  • sha512 Digest types, sha1 should be avoided.
name
string <name>
object

It is often a good idea to create a new root certificate some time before the old certificate expires. This allows the new root certificate to be distributed to all parties that should be able to validate certificates issued from it. Once the new certificate has been distributed it can be used for issuing new certificates, ie activated.

For example, if we have agents that requests new certificates with a duration of 135 days, then a new certificate must be activated at least 135 days before the old certificate expires to ensure that the CA certificate is valid during the time the issued certificates are valid.

Also, to ensure that the agents certificate is recognized by all other agents the new root certificate must be created 135+135 days before the old certificate expires. This is to ensure that it has been included in the CA bundles that the agents receive when requesting new certificates. It must be included at a minimum of 135 days before it is first used or there is a risk that some peers may not recognize the certificate.

serial-prefix
string <hex-string> ^([0-9a-fA-F]{2}(:[0-9a-fA-F]{2})*)?$

Default serial number prefix. It will be used if no prefix is supplied in the issue-cert action.

The serial-prefix is used as a fixed prefix to the randomly generated 144 bit serial number associated with issued certificates.

to (object) or sites (object) or deployments (object)
active-version
integer <uint32>

The active certificate, ie the certificate that is used when issuing new certificates, or renewing old. Note that this is not the same as the latest-version since it is often desirable to create a new root certificate, and start distributing it to all parties that need to verify certificates, some time before actually starting to issue certificates from it.

oldest-version
integer <uint32>

The oldest version to include when requesting ca certificates for this CA. Expired certificates will never be included in the CA certificate bundle.

Responses
201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

409

Conflict (instance exists)

503

Service Unavailable (strongbox sealed)

post/v1/config/strongbox/tls/ca
Request samples
name: api-root
ttl: 1y
cert-key-type: ecdsa
subject: Avassa
digest: sha256
auto-renew:
  renew-threshold: 1y175d
  activate-threshold: 1y40d
serial-prefix: fe:ed:ba:be
distribute:
  to: inherit
active-version: 2
oldest-version: 1

Retrieve the configuration of all tls cas

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/tls/ca
Response samples
- name: api-root
  ttl: 1y
  cert-key-type: ecdsa
  subject: Avassa
  digest: sha256
  auto-renew:
    renew-threshold: 1y175d
    activate-threshold: 1y40d
  serial-prefix: fe:ed:ba:be
  distribute:
    to: inherit
  active-version: 2
  oldest-version: 1
  

Update a tls ca

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
One of:
pathlen-constraint
integer <uint32>

If configured, set the pathlen option extension in the certificates. The pathlen extension controls the maximum length of chain certificates that may occur from a root certificates.

ttl
string <duration>
Default: "365d"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of the generated ca certificate. It is used when generating ca certificates.

cert-key-type
string <cipher-key-type>
Default: "ecdsa"
  • ecdsa: Elliptic Curve Digital Signature Algorithm
  • rsa: Rivest-Shamir-Adleman public-key cryptosystem
cert-key-curve
string <cipher-key-curve>
Default: "secp256r1"
  • secp256r1
  • secp384r1
  • secp521r1 Elliptic curve ciphers.

Valid when: ../cert-key-type = 'ecdsa'

cert-key-size
integer <uint32>
Default: 2048

Valid when: ../cert-key-type = 'rsa'

subject
string
Default: "Avassa"

Subject of generated CA root certificate. Only used when no ca-cert is supplied.

crl-dist-url
string

URL of CRL distribution point. It is generated into the CA certificate

issuing-ca
string

If this CA cert should be an intermediate cert then an issuing-ca should be specified. The issuing-ca must be a name of an existing CA that can issue a CA certificate.

digest
string <digest-type>
Default: "sha256"
  • sha1
  • sha224
  • sha256
  • sha384
  • sha512 Digest types, sha1 should be avoided.
name
string <name>
object

It is often a good idea to create a new root certificate some time before the old certificate expires. This allows the new root certificate to be distributed to all parties that should be able to validate certificates issued from it. Once the new certificate has been distributed it can be used for issuing new certificates, ie activated.

For example, if we have agents that requests new certificates with a duration of 135 days, then a new certificate must be activated at least 135 days before the old certificate expires to ensure that the CA certificate is valid during the time the issued certificates are valid.

Also, to ensure that the agents certificate is recognized by all other agents the new root certificate must be created 135+135 days before the old certificate expires. This is to ensure that it has been included in the CA bundles that the agents receive when requesting new certificates. It must be included at a minimum of 135 days before it is first used or there is a risk that some peers may not recognize the certificate.

serial-prefix
string <hex-string> ^([0-9a-fA-F]{2}(:[0-9a-fA-F]{2})*)?$

Default serial number prefix. It will be used if no prefix is supplied in the issue-cert action.

The serial-prefix is used as a fixed prefix to the randomly generated 144 bit serial number associated with issued certificates.

to (object) or sites (object) or deployments (object)
active-version
integer <uint32>

The active certificate, ie the certificate that is used when issuing new certificates, or renewing old. Note that this is not the same as the latest-version since it is often desirable to create a new root certificate, and start distributing it to all parties that need to verify certificates, some time before actually starting to issue certificates from it.

oldest-version
integer <uint32>

The oldest version to include when requesting ca certificates for this CA. Expired certificates will never be included in the CA certificate bundle.

Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/strongbox/tls/ca/{tls-ca-name}
Request samples
name: api-root
ttl: 1y
cert-key-type: ecdsa
subject: Avassa
digest: sha256
auto-renew:
  renew-threshold: 1y175d
  activate-threshold: 1y40d
serial-prefix: fe:ed:ba:be
distribute:
  to: inherit
active-version: 2
oldest-version: 1

Delete a tls ca

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/strongbox/tls/ca/{tls-ca-name}

Replace or create a new tls ca

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
One of:
pathlen-constraint
integer <uint32>

If configured, set the pathlen option extension in the certificates. The pathlen extension controls the maximum length of chain certificates that may occur from a root certificates.

ttl
string <duration>
Default: "365d"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of the generated ca certificate. It is used when generating ca certificates.

cert-key-type
string <cipher-key-type>
Default: "ecdsa"
  • ecdsa: Elliptic Curve Digital Signature Algorithm
  • rsa: Rivest-Shamir-Adleman public-key cryptosystem
cert-key-curve
string <cipher-key-curve>
Default: "secp256r1"
  • secp256r1
  • secp384r1
  • secp521r1 Elliptic curve ciphers.

Valid when: ../cert-key-type = 'ecdsa'

cert-key-size
integer <uint32>
Default: 2048

Valid when: ../cert-key-type = 'rsa'

subject
string
Default: "Avassa"

Subject of generated CA root certificate. Only used when no ca-cert is supplied.

crl-dist-url
string

URL of CRL distribution point. It is generated into the CA certificate

issuing-ca
string

If this CA cert should be an intermediate cert then an issuing-ca should be specified. The issuing-ca must be a name of an existing CA that can issue a CA certificate.

digest
string <digest-type>
Default: "sha256"
  • sha1
  • sha224
  • sha256
  • sha384
  • sha512 Digest types, sha1 should be avoided.
name
string <name>
object

It is often a good idea to create a new root certificate some time before the old certificate expires. This allows the new root certificate to be distributed to all parties that should be able to validate certificates issued from it. Once the new certificate has been distributed it can be used for issuing new certificates, ie activated.

For example, if we have agents that requests new certificates with a duration of 135 days, then a new certificate must be activated at least 135 days before the old certificate expires to ensure that the CA certificate is valid during the time the issued certificates are valid.

Also, to ensure that the agents certificate is recognized by all other agents the new root certificate must be created 135+135 days before the old certificate expires. This is to ensure that it has been included in the CA bundles that the agents receive when requesting new certificates. It must be included at a minimum of 135 days before it is first used or there is a risk that some peers may not recognize the certificate.

serial-prefix
string <hex-string> ^([0-9a-fA-F]{2}(:[0-9a-fA-F]{2})*)?$

Default serial number prefix. It will be used if no prefix is supplied in the issue-cert action.

The serial-prefix is used as a fixed prefix to the randomly generated 144 bit serial number associated with issued certificates.

to (object) or sites (object) or deployments (object)
active-version
integer <uint32>

The active certificate, ie the certificate that is used when issuing new certificates, or renewing old. Note that this is not the same as the latest-version since it is often desirable to create a new root certificate, and start distributing it to all parties that need to verify certificates, some time before actually starting to issue certificates from it.

oldest-version
integer <uint32>

The oldest version to include when requesting ca certificates for this CA. Expired certificates will never be included in the CA certificate bundle.

Responses
201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/strongbox/tls/ca/{tls-ca-name}
Request samples
name: api-root
ttl: 1y
cert-key-type: ecdsa
subject: Avassa
digest: sha256
auto-renew:
  renew-threshold: 1y175d
  activate-threshold: 1y40d
serial-prefix: fe:ed:ba:be
distribute:
  to: inherit
active-version: 2
oldest-version: 1

Retrieve the configuration of a tls ca

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
version-list
string <enumeration>

Retrieve list of old versions

Value: "true"
version
string

Retrieve requested old version of the resource

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/tls/ca/{tls-ca-name}
Response samples
name: api-root
ttl: 1y
cert-key-type: ecdsa
subject: Avassa
digest: sha256
auto-renew:
  renew-threshold: 1y175d
  activate-threshold: 1y40d
serial-prefix: fe:ed:ba:be
distribute:
  to: inherit
active-version: 2
oldest-version: 1

Retrieve the state of all tls cas

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/tls/ca
Response samples
- name: api-root
  ttl: 1y
  cert-key-type: ecdsa
  subject: Avassa
  digest: sha256
  auto-renew:
    renew-threshold: 1y175d
    activate-threshold: 1y40d
  ca-cert: |
    -----BEGIN CERTIFICATE-----
    MIICHjCCAcSgAwIBAgITAOABFWQnCwCKUEO/iYa7SJ1dvTAKBggqhkjOPQQDAjBl
    MRowGAYDVQQDExFBdmFzc2EgQVBJIHJvb3QgMjESMBAGA1UEBxMJU3RvY2tob2xt
    MQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmli
    dXRpb24wIhgPMjAyMTEyMjQwMTE1MTdaGA8yMDI3MDUxMTEyMDMxN1owZTEaMBgG
    A1UEAxMRQXZhc3NhIEFQSSByb290IDIxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkG
    A1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9u
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhZQ9Daqh+LrlS3955P8CblkMQF8a
    DoxnXxrtAsWFfzrEaCV0gxiFi/GGuxyK+ZCtGTVIsos0a1kghxHbUUPwKaNPME0w
    DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwJwYDVR0fBCAwHjAc
    oBqgGIYWaHR0cDovL2NybC5hdmFzc2EubmV0LzAKBggqhkjOPQQDAgNIADBFAiEA
    kS4OtbkkgKhdp2RCv7qUkNGHDNVRN3hyrAopHN/RSRsCIFRtTWKIJzburtDVxdle
    ruV7H8IH63kUgYC1ajb+rkrr
    -----END CERTIFICATE-----
  serial-prefix: fe:ed:ba:be
  expires: 2027-05-11T12:03:17.000000Z
  revocations:
    - serial: a6:28:9b:66:ab:dc:c1:70:b7:ff:c3:8a:94:79:37:2c:01:76
      revoke-time: 2023-01-12T09:27:23.000000Z
      reason: keyCompromise
  distribute:
    to: inherit
  distribution-status:
    to: none
  version: 2
  active-version: 2
  oldest-version: 1
  latest-version: 2
  versions:
    - version: 1
      ca-cert: |
        -----BEGIN CERTIFICATE-----
        MIICGjCCAcCgAwIBAgITAO/NC0Z5yctxyRpMjHZFHT6x0zAKBggqhkjOPQQDAjBj
        MRgwFgYDVQQDEw9BdmFzc2EgQVBJIHJvb3QxEjAQBgNVBAcTCVN0b2NraG9sbTEL
        MAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0
        aW9uMCIYDzIwMjExMjMxMDgyNjIxWhgPMjAyNTA1MTExMjAyMjFaMGMxGDAWBgNV
        BAMTD0F2YXNzYSBBUEkgcm9vdDESMBAGA1UEBxMJU3RvY2tob2xtMQswCQYDVQQG
        EwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmlidXRpb24wWTAT
        BgcqhkjOPQIBBggqhkjOPQMBBwNCAATuXTmB7v1gUFnFlJlmSQ0VsWEW5ysw/lkp
        MFNuQOGW1Hq4PqBk98OXbi4uQhnBVb3daJ+a4G30utBssXqnKTFro08wTTAOBgNV
        HQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATAnBgNVHR8EIDAeMBygGqAY
        hhZodHRwOi8vY3JsLmF2YXNzYS5uZXQvMAoGCCqGSM49BAMCA0gAMEUCIEyUSton
        y2VYNwG+Q3uYU0wCcdpmfA6zmEh0yKM6HmfVAiEArespFvfEYKBA6gHdz7N3J2hO
        il2zDBrzyH3xWs95mt0=
        -----END CERTIFICATE-----
      expires: 2025-05-11T12:02:21.000000Z
      revocations:
        - serial: a6:28:9b:66:ab:dc:c1:70:b7:ff:c3:8a:94:79:37:2c:01:76
          revoke-time: 2023-01-12T09:27:23.000000Z
          reason: keyCompromise
    - version: 2
      ca-cert: |
        -----BEGIN CERTIFICATE-----
        MIICHjCCAcSgAwIBAgITAOABFWQnCwCKUEO/iYa7SJ1dvTAKBggqhkjOPQQDAjBl
        MRowGAYDVQQDExFBdmFzc2EgQVBJIHJvb3QgMjESMBAGA1UEBxMJU3RvY2tob2xt
        MQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmli
        dXRpb24wIhgPMjAyMTEyMjQwMTE1MTdaGA8yMDI3MDUxMTEyMDMxN1owZTEaMBgG
        A1UEAxMRQXZhc3NhIEFQSSByb290IDIxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkG
        A1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9u
        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhZQ9Daqh+LrlS3955P8CblkMQF8a
        DoxnXxrtAsWFfzrEaCV0gxiFi/GGuxyK+ZCtGTVIsos0a1kghxHbUUPwKaNPME0w
        DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwJwYDVR0fBCAwHjAc
        oBqgGIYWaHR0cDovL2NybC5hdmFzc2EubmV0LzAKBggqhkjOPQQDAgNIADBFAiEA
        kS4OtbkkgKhdp2RCv7qUkNGHDNVRN3hyrAopHN/RSRsCIFRtTWKIJzburtDVxdle
        ruV7H8IH63kUgYC1ajb+rkrr
        -----END CERTIFICATE-----
      expires: 2027-05-11T12:03:17.000000Z
      revocations:
        - serial: a6:28:9b:66:ab:dc:c1:70:b7:ff:c3:8a:94:79:37:2c:01:76
          revoke-time: 2023-01-12T09:27:23.000000Z
          reason: keyCompromise
  

Retrieve the state of a tls ca

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/tls/ca/{tls-ca-name}
Response samples
name: api-root
ttl: 1y
cert-key-type: ecdsa
subject: Avassa
digest: sha256
auto-renew:
  renew-threshold: 1y175d
  activate-threshold: 1y40d
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIICHjCCAcSgAwIBAgITAOABFWQnCwCKUEO/iYa7SJ1dvTAKBggqhkjOPQQDAjBl
  MRowGAYDVQQDExFBdmFzc2EgQVBJIHJvb3QgMjESMBAGA1UEBxMJU3RvY2tob2xt
  MQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmli
  dXRpb24wIhgPMjAyMTEyMjQwMTE1MTdaGA8yMDI3MDUxMTEyMDMxN1owZTEaMBgG
  A1UEAxMRQXZhc3NhIEFQSSByb290IDIxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkG
  A1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9u
  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhZQ9Daqh+LrlS3955P8CblkMQF8a
  DoxnXxrtAsWFfzrEaCV0gxiFi/GGuxyK+ZCtGTVIsos0a1kghxHbUUPwKaNPME0w
  DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwJwYDVR0fBCAwHjAc
  oBqgGIYWaHR0cDovL2NybC5hdmFzc2EubmV0LzAKBggqhkjOPQQDAgNIADBFAiEA
  kS4OtbkkgKhdp2RCv7qUkNGHDNVRN3hyrAopHN/RSRsCIFRtTWKIJzburtDVxdle
  ruV7H8IH63kUgYC1ajb+rkrr
  -----END CERTIFICATE-----
serial-prefix: fe:ed:ba:be
expires: 2027-05-11T12:03:17.000000Z
revocations:
  - serial: a6:28:9b:66:ab:dc:c1:70:b7:ff:c3:8a:94:79:37:2c:01:76
    revoke-time: 2023-01-12T09:27:23.000000Z
    reason: keyCompromise
distribute:
  to: inherit
distribution-status:
  to: none
version: 2
active-version: 2
oldest-version: 1
latest-version: 2
versions:
  - version: 1
    ca-cert: |
      -----BEGIN CERTIFICATE-----
      MIICGjCCAcCgAwIBAgITAO/NC0Z5yctxyRpMjHZFHT6x0zAKBggqhkjOPQQDAjBj
      MRgwFgYDVQQDEw9BdmFzc2EgQVBJIHJvb3QxEjAQBgNVBAcTCVN0b2NraG9sbTEL
      MAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0
      aW9uMCIYDzIwMjExMjMxMDgyNjIxWhgPMjAyNTA1MTExMjAyMjFaMGMxGDAWBgNV
      BAMTD0F2YXNzYSBBUEkgcm9vdDESMBAGA1UEBxMJU3RvY2tob2xtMQswCQYDVQQG
      EwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmlidXRpb24wWTAT
      BgcqhkjOPQIBBggqhkjOPQMBBwNCAATuXTmB7v1gUFnFlJlmSQ0VsWEW5ysw/lkp
      MFNuQOGW1Hq4PqBk98OXbi4uQhnBVb3daJ+a4G30utBssXqnKTFro08wTTAOBgNV
      HQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATAnBgNVHR8EIDAeMBygGqAY
      hhZodHRwOi8vY3JsLmF2YXNzYS5uZXQvMAoGCCqGSM49BAMCA0gAMEUCIEyUSton
      y2VYNwG+Q3uYU0wCcdpmfA6zmEh0yKM6HmfVAiEArespFvfEYKBA6gHdz7N3J2hO
      il2zDBrzyH3xWs95mt0=
      -----END CERTIFICATE-----
    expires: 2025-05-11T12:02:21.000000Z
    revocations:
      - serial: a6:28:9b:66:ab:dc:c1:70:b7:ff:c3:8a:94:79:37:2c:01:76
        revoke-time: 2023-01-12T09:27:23.000000Z
        reason: keyCompromise
  - version: 2
    ca-cert: |
      -----BEGIN CERTIFICATE-----
      MIICHjCCAcSgAwIBAgITAOABFWQnCwCKUEO/iYa7SJ1dvTAKBggqhkjOPQQDAjBl
      MRowGAYDVQQDExFBdmFzc2EgQVBJIHJvb3QgMjESMBAGA1UEBxMJU3RvY2tob2xt
      MQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmli
      dXRpb24wIhgPMjAyMTEyMjQwMTE1MTdaGA8yMDI3MDUxMTEyMDMxN1owZTEaMBgG
      A1UEAxMRQXZhc3NhIEFQSSByb290IDIxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkG
      A1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9u
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhZQ9Daqh+LrlS3955P8CblkMQF8a
      DoxnXxrtAsWFfzrEaCV0gxiFi/GGuxyK+ZCtGTVIsos0a1kghxHbUUPwKaNPME0w
      DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwJwYDVR0fBCAwHjAc
      oBqgGIYWaHR0cDovL2NybC5hdmFzc2EubmV0LzAKBggqhkjOPQQDAgNIADBFAiEA
      kS4OtbkkgKhdp2RCv7qUkNGHDNVRN3hyrAopHN/RSRsCIFRtTWKIJzburtDVxdle
      ruV7H8IH63kUgYC1ajb+rkrr
      -----END CERTIFICATE-----
    expires: 2027-05-11T12:03:17.000000Z
    revocations:
      - serial: a6:28:9b:66:ab:dc:c1:70:b7:ff:c3:8a:94:79:37:2c:01:76
        revoke-time: 2023-01-12T09:27:23.000000Z
        reason: keyCompromise

Invoke the check-ca operation

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

Request Body schema:
offset
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Time offset for testing.

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/tls/ca/{tls-ca-name}/check-ca
Request samples
offset: 0s
Response samples
renewed: true
activated: false
latest-expires-in: 128d
active-expires-in: 54d

Invoke the get-ca-cert operation

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/tls/ca/{tls-ca-name}/get-ca-cert
Response samples
cert: |
  -----BEGIN CERTIFICATE-----
  MIICHjCCAcSgAwIBAgITAKs1oS0ybeAUntauysqFuBeQlDAKBggqhkjOPQQDAjBl
  MRowGAYDVQQDExFBdmFzc2EgQVBJIHJvb3QgMjESMBAGA1UEBxMJU3RvY2tob2xt
  MQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmli
  dXRpb24wIhgPMjAyMTEyMjMyMzIwMTNaGA8yMDI3MDUxMTEwMDgxM1owZTEaMBgG
  A1UEAxMRQXZhc3NhIEFQSSByb290IDIxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkG
  A1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9u
  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzSauslxXPReRGQFzPKPamVN8KPiP
  h+6PQaTXa5EN0cYukD+VU8Guu9r+k7BBF0t6+kzxJ4v84uGqcS11BrbOPaNPME0w
  DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwJwYDVR0fBCAwHjAc
  oBqgGIYWaHR0cDovL2NybC5hdmFzc2EubmV0LzAKBggqhkjOPQQDAgNIADBFAiEA
  1zOd7AGv/56MOFYAUa9WqJSBwBwncUkUdRcoMHNw5zoCIGeIgBFg5qxGU4SxwwWV
  ZQYSJpKqUCz7uo9HvItC3A7S
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIICGDCCAb+gAwIBAgISMeZQ4HpjHhrLayS5JedHqb5vMAoGCCqGSM49BAMCMGMx
  GDAWBgNVBAMTD0F2YXNzYSBBUEkgcm9vdDESMBAGA1UEBxMJU3RvY2tob2xtMQsw
  CQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmlidXRp
  b24wIhgPMjAyMTEyMzEwNjMxMTdaGA8yMDI1MDUxMTEwMDcxN1owYzEYMBYGA1UE
  AxMPQXZhc3NhIEFQSSByb290MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYT
  AlNFMQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjBZMBMG
  ByqGSM49AgEGCCqGSM49AwEHA0IABCMdQb+jMkUsk2ZcuvpvsN5teiV5ia/Gsfgx
  GgQ4qDmBRFxNrfuj34uD8QCTImxijm5zJHaIwYIxQLJ9fi+SJiyjTzBNMA4GA1Ud
  DwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdHwQgMB4wHKAaoBiG
  Fmh0dHA6Ly9jcmwuYXZhc3NhLm5ldC8wCgYIKoZIzj0EAwIDRwAwRAIgXHevBN00
  3omcAE1ryOvL8NbzpsRFjoAR2SVVj3HT454CIHR7hEVtX/FZ+Qdy7kzz3kArX2H/
  2l/pX1YONDXlyvHM
  -----END CERTIFICATE-----

Invoke the get-crl operation

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

Request Body schema:
version
integer <uint32>

Get CRL for indicated CA certificate version. The CRL for the currently active certificate will be returned if not specified.

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/tls/ca/{tls-ca-name}/get-crl
Request samples
version: 1
Response samples
version: 1
crl: |
  -----BEGIN X509 CRL-----
  MIIBPzCB5wIBATAKBggqhkjOPQQDAjBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNV
  BAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMG
  A1UECxMMZGlzdHJpYnV0aW9uGA8yMDIyMDExMjExNTU1MVoYDzM5OTMxMjI4MTE1
  NTQ5WjBIMCICAQIYDzIwMjIwMTEyMTE1NTUwWjAMMAoGA1UdFQQDCgEJMCICAQEY
  DzIwMjIwMTEyMTE1NTUwWjAMMAoGA1UdFQQDCgEBoA4wDDAKBgNVHRQEAwIBATAK
  BggqhkjOPQQDAgNHADBEAiAIaVZUh2UY10im3CYC1Aw55ngax0ZI5KFEXUIKBB/b
  nwIgWltvAouZ5+EHvDAX3MCeh0rtyX8B9e7gl9EcMo8UBb0=
  -----END X509 CRL-----

Invoke the get-crls operation

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/tls/ca/{tls-ca-name}/get-crls
Response samples
crls:
  - version: 1
    crl: |
      -----BEGIN X509 CRL-----
      MIIBrDCCAVMCAQEwCgYIKoZIzj0EAwIwWjEPMA0GA1UEAxMGQXZhc3NhMRIwEAYD
      VQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFzc2ExFTAT
      BgNVBAsTDGRpc3RyaWJ1dGlvbhgPMjAyMjAxMTIxMTU1NTJaGA8zOTkzMTIyODEx
      NTU0OVowgbMwNAITAOf//VRXdqtOes92mJuEHenzyhgPKioqKjExMTEwNDA3MzFa
      MAwwCgYDVR0VBAMKAQkwMwISNp/2B3mBxiLjZF3EMV/4/AdkGA8yMDIyMDExMjEx
      NTU1MVowDDAKBgNVHRUEAwoBCTAiAgECGA8yMDIyMDExMjExNTU1MFowDDAKBgNV
      HRUEAwoBCTAiAgEBGA8yMDIyMDExMjExNTU1MFowDDAKBgNVHRUEAwoBAaAOMAww
      CgYDVR0UBAMCAQEwCgYIKoZIzj0EAwIDRwAwRAIgbrjFqcuiwZFqzhLOtebUfqDf
      xCCpQfTAEDN2XpU1GesCIGPN1Xt8tSMzwjZDcpPG+08pRdSjIuD2dEWNZhJYyoni
      -----END X509 CRL-----

Invoke the issue-cert operation

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

Request Body schema:
version
integer <uint32>

CA certificate version to use when issuing certificate. If not specified, the current active version will be used.

ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Time the certificate should be valid, starting from the time when the certificate is issued.

truncate-ttl
boolean
Default: false

Automatically limit the TTL to the lifetime of the CA certificate. If this is set to 'false' then an error will be generated if a certificate is requested that has a TTL that is longer then the lifetime of the CA certificate.

host
string

Name of client or server, used as CN (common name) and SAN (subject alt name) in issued certificate.

public-key
string

If a public-key is provided the cert will be based on that key instead of generating a new key-pair. This is preferred since the private key does not have to be transported. If CSRs (certificate signing requests) are used, then the private keys are embedded in that.

cert-type
string <enumeration>
Default: "client"
  • ca
  • client
  • server

Sets default attributes associated with certificate use.

pathlen-constraint
integer <uint32>

Valid when: ../cert-type = 'ca'

The issued certificate will have the basic constraint pathLen set to this value. It is used to limit the length of a trust chain originating from the issued certificate.

Array of objects

Configure additional certificate alternate name extensions for the issued certificate.

server-ext-usage
boolean

Adds the ServerAuth flag to Extended Key Usage attribute of the generated certificates.

client-ext-usage
boolean

Adds the ClientAuth flag to Extended Key Usage attribute of the generated certificates.

code-signing-ext-usage
boolean

Adds the CodeSigning flag to Extended Key Usage attribute of the generated certificates.

full-authority-key-identifier
boolean

Include key authority serial and name, in addition to key.

serial-prefix
string <hex-string> ^([0-9a-fA-F]{2}(:[0-9a-fA-F]{2})*)?$

The certificate serial, a 144 bit number, can optionally have a fixed prefix (up to 80 bits), the rest will be a random number consisting of a minimum of 64 bits.

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/tls/ca/{tls-ca-name}/issue-cert
Request samples
version: 1
ttl: 15d
truncate-ttl: false
host: tio.avassa.net
public-key: |
  -----BEGIN PUBLIC KEY-----
  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAprsthcrQ/Ug6leQQAjna
  QmLN1QDvjPs2wB6BXfwsW+KnMKCAQmv2eKpE2ZmpHoHxyz4JYhFm5vRCbl5AjM+1
  m3MvPAEP6LkDKK1blOpOinv21WW1rjC6kC2TEEI54gDMW0XBZqIYJUD7gP02zpNe
  jsZTELRrD8w55HIAe38doEg+TqEgYo4CIKM/ivh8SXi1alI3N7Gi8K8oKXh8azhY
  u9FHVig13HSym9E5zreF32CKSiQMS4cyyH1DXAQg/v9X6uBtga1HD33SYeXTNaga
  1L6Gn9AcCeBwmcmImTeA49NedAqoLMFZSZlR3C3bsspN0rtWyroO00QpyFqpHMYx
  GQIDAQAB
  -----END PUBLIC KEY-----
cert-type: server
alt-name:
  - type: DNSName
    value: foo
  - type: DNSName
    value: bar
server-ext-usage: true
client-ext-usage: true
code-signing-ext-usage: true
full-authority-key-identifier: false
serial-prefix: fe:ed:ba:be
Response samples
cert: |
  -----BEGIN CERTIFICATE-----
  MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa
  MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
  U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
  MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h
  dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD
  VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN
  AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38
  LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq
  Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/
  HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63
  hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3
  gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+
  BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr
  aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
  dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h
  dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK
  BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi
  iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V
  -----END CERTIFICATE-----
private-key: |
  -----BEGIN EC PRIVATE KEY-----
  MHcCAQEEIOXuM9bGiQDY9UwAY/8RgJqV+5vq8XIURRKkrAWNQuhvoAoGCCqGSM49
  AwEHoUQDQgAENBCgxypqoxzHtxQjqVueMP/MrfboR7C0ix/58VYrEmiOjcWjfyrh
  5mHkSHhOuWG9Y9kBQEit0HGZqFdwtvofOg==
  -----END EC PRIVATE KEY-----
serial: a6:28:9b:66:ab:dc:c1:70:b7:ff:c3:8a:94:79:37:2c:01:76
created: 2022-01-25T09:57:48.000000Z
expires: 2022-01-27T09:57:48.000000Z
version: 1
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa
  MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
  U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
  MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h
  dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD
  VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN
  AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38
  LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq
  Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/
  HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63
  hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3
  gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+
  BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr
  aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
  dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h
  dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK
  BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi
  iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V
  -----END CERTIFICATE-----

Invoke the renew-cert operation

Renews a certificate if needed. The action first verifies that the certificate given as argument is signed by the CA, then examines the expiration time. If the refresh threshold has been reached then a new certificate is generated, together with a new public key.

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

Request Body schema:
version
integer <uint32>

CA certificate version to use when issuing certificate. If not specified, the current active version will be used.

cert
required
string

If a public-key is provided the cert will be based on that key instead of generating a new key-pair. This is preferred since the private key does not have to be transported. If CSRs (certificate signing requests) are used, then the private keys are embedded in that.

threshold
required
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Threshold for renewing the certificate. If the cert is valid for longer than the threshold, then it is not renewed.

ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

If a new certificate is generated, use this ttl.

force
boolean

Force renew even if the certificate expiration time has not reached the threshold.

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/tls/ca/{tls-ca-name}/renew-cert
Request samples
version: 1
cert: |
  -----BEGIN CERTIFICATE-----
  MIICizCCAjGgAwIBAgITANNt94hZ1dY/yf1V21FDUK6xVzAKBggqhkjOPQQDAjBg
  MRUwEwYDVQQDEwxpbnRlcm1lZGlhdGUxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkG
  A1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9u
  MCIYDzIwMjIwMTEyMDU1MzIxWhgPMjAyMjAxMjcwOTI5MjFaMGIxFzAVBgNVBAMT
  DnRpby5hdmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNF
  MQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjBZMBMGByqG
  SM49AgEGCCqGSM49AwEHA0IABP12drrHCZgUNGKY4+AirpP8Srjtuf2wUYLyOELu
  5w+Q4bPBUOBnT0VQ7MJEGH1CS4TdBDZMmc/sC8iS6zqGjaujgcMwgcAwfgYDVR0j
  BHcwdaFepFwwWjEPMA0GA1UEAxMGQXZhc3NhMRIwEAYDVQQHEwlTdG9ja2hvbG0x
  CzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1
  dGlvboITAN7Ag9ldW5mmpYKFnCWuYLZqaDAjBgNVHREEHDAagg50aW8uYXZhc3Nh
  Lm5ldIIDZm9vggNiYXIwCwYDVR0PBAQDAgOIMAwGA1UdEwEB/wQCMAAwCgYIKoZI
  zj0EAwIDSAAwRQIhAPAEa0/l9oOmLfRVKjDVFFcw81q91diNmERB3bOWc6X8AiB5
  jYenpXwkbchHtu3etE0/3FzLSVTN453CDVU6gIAtJw==
  -----END CERTIFICATE-----
threshold: 15d
ttl: 15d
force: true
Response samples
cert: |
  -----BEGIN CERTIFICATE-----
  MIICizCCAjGgAwIBAgITAOlTFCbPxuMxTI7XY0XnZxm6xDAKBggqhkjOPQQDAjBg
  MRUwEwYDVQQDEwxpbnRlcm1lZGlhdGUxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkG
  A1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9u
  MCIYDzIwMjIwMTEyMDU1MzIxWhgPMjAyMjAxMjcwOTI5MjFaMGIxFzAVBgNVBAMT
  DnRpby5hdmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNF
  MQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjBZMBMGByqG
  SM49AgEGCCqGSM49AwEHA0IABJxqeVJyPzB1TIpL6//bWCrrrrk9D3JkGBv4DHEk
  eBoXgDfV8n8Ni5m5PtazeJE+91WX0yhRCGZVRyohpzbx8+qjgcMwgcAwfgYDVR0j
  BHcwdaFepFwwWjEPMA0GA1UEAxMGQXZhc3NhMRIwEAYDVQQHEwlTdG9ja2hvbG0x
  CzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1
  dGlvboITAN7Ag9ldW5mmpYKFnCWuYLZqaDAjBgNVHREEHDAagg50aW8uYXZhc3Nh
  Lm5ldIIDZm9vggNiYXIwCwYDVR0PBAQDAgOIMAwGA1UdEwEB/wQCMAAwCgYIKoZI
  zj0EAwIDSAAwRQIgWgpHPxZ5Y/U1a2jlMqyojqy0ux5T9a15gc1BXmj3MegCIQD8
  Lxclz6XhhIsMoOpBTX45gFMJmhDOisflmcsCumup9A==
  -----END CERTIFICATE-----
private-key: |
  -----BEGIN EC PRIVATE KEY-----
  MHcCAQEEIA69qgOw6+y/6aDASXFWtK17P98TvTlKcWZ3H5IZKDF4oAoGCCqGSM49
  AwEHoUQDQgAEnGp5UnI/MHVMikvr/9tYKuuuuT0PcmQYG/gMcSR4GheAN9Xyfw2L
  mbk+1rN4kT73VZfTKFEIZlVHKiGnNvHz6g==
  -----END EC PRIVATE KEY-----
serial: e9:53:14:26:cf:c6:e3:31:4c:8e:d7:63:45:e7:67:19:ba:c4
expires: 2022-01-27T09:29:21.000000Z

Invoke the revoke-cert operation

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

Request Body schema:
version
integer <uint32>

CA certificate version to use when revoking certificate. If not specified, the current active version will be used.

serial
required
string <hex-string> ^([0-9a-fA-F]{2}(:[0-9a-fA-F]{2})*)?$
revoke-time
string <date-time>
reason
string <revoke-reason-type>
Default: "unspecified"
  • unspecified
  • keyCompromise
  • cACompromise
  • affiliationChanged
  • superseded
  • cessationOfOperation
  • certificateHold
  • privilegeWithdrawn
  • aAcompromise Reason for revoking a certificate.
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/tls/ca/{tls-ca-name}/revoke-cert
Request samples
version: 1
serial: 02:59:cd:ba:9a:c3:7b:81:ad:d4:8b:be:35:f1:e3:10:a1:fa
revoke-time: 2023-01-12T09:27:23.000000Z
reason: keyCompromise

Invoke the rotate-ca operation

SecurityaccessToken
Request
path Parameters
tls-ca-name
required
string <name>

name of tls-ca

Request Body schema:
ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of new certificate. It will default to the TTL of the old certificate.

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/tls/ca/{tls-ca-name}/rotate-ca
Request samples
ttl: 1y
Response samples
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIICHTCCAcOgAwIBAgISWNECRJYLYnewT+3Ujk574sRJMAoGCCqGSM49BAMCMGUx
  GjAYBgNVBAMTEUF2YXNzYSBBUEkgcm9vdCAyMRIwEAYDVQQHEwlTdG9ja2hvbG0x
  CzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1
  dGlvbjAiGA8yMDIyMDEwODE4NDk1NFoYDzIwMjMwMTEyMTAyNTU0WjBlMRowGAYD
  VQQDExFBdmFzc2EgQVBJIHJvb3QgMjESMBAGA1UEBxMJU3RvY2tob2xtMQswCQYD
  VQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0cmlidXRpb24w
  WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASvGeQvFMppCCzWIuoC9aLlPa+LMFec
  pPcRKkPxNKnFgfxxQkj8BxHFK983DkQPRN8DqLTnVu9PlbHF9vafoCZEo08wTTAO
  BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATAnBgNVHR8EIDAeMByg
  GqAYhhZodHRwOi8vY3JsLmF2YXNzYS5uZXQvMAoGCCqGSM49BAMCA0gAMEUCIQCn
  rmajChgRM8BwDUr205011d/ra3spqDQqz+z32DjZEwIgNJp+7hOxQxUwejpDamRW
  BcbypHLoQkU/SCFeASg47vs=
  -----END CERTIFICATE-----
expires: 2023-01-12T10:25:54.000000Z
version: 2