...
| Method | Endpoint | Parameter | Returned values | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Name | Is required? | Transfer method | Description | Name | Always returned? | Transfer method | Description | ||
| GET | /v1/certificate/{caName} | CA name | Yes | Path parameter | Name of Certificate Authority which should sign sent CSR. Must match CertService's CMPv2 servers configuration. | Error message | No, only if error occurred on server side | Body (JSON) | Verbose information what wrong happened on server side. |
| Base64 encoded CSR (Certificate Signing Request) in PEM format | Yes | Header | Certificate Signing Request for given component | Certificate chain | No, only in success case. | Body (JSON) | Base64 encoded  signed certificate with whole certificate chain (intermediate CA certificates) in PEM format. Signed certificate should be returned first and then all intermediate certificates in following order: singer of previous certificate till certificate which is signed by root CA. All certificates are in PEM format. | ||
| Base64 encoded private key in PEM format | Yes | Header | Private key. Needed to create proof of possession (PoP) | Trusted certificates | No, only in success case. | Body (JSON) | Base64 encoded list of trusted certificates in PEM format. In other words list of root CAs which should be treated as trust anchors. Must contain root CA which was used to sign certificate and may contain other root CAs. Order doesn't matter. All certificates are in PEM format. | ||
...
| HTTP code | Description |
|---|---|
| 200 (OK) | Everything is ok. Certificate chain and trusted certificates returned |
| 400 (Bad Request) | Incorrect/missing CSR and/or private key |
| 401 (Unauthorized) | Missing client certificate or presented certificate is not trusted |
| 404 (Not found) | Invalid CA name in REST API call or wrong endpoint called |
| 500 (Internal Server Error) | In case of exception on server side. |
OpenAPI
...
| View file | ||||
|---|---|---|---|---|
|
CMPv2 server properties
CertService contains configuration of CMPv2 servers. To enroll certificate at least one CMPv2 server has to be configured. CMPv2 servers configuration is read during CertService startup and to take runtime changes into account CertService's refresh configuration endpoint has to be called.
...
Relevant values in Initialization Request (IR) message sent to CMPv2 server:
Value | Description | Information Included |
|---|---|---|
| PKIHeader | Contains information common to many PKI messages. | SenderDN IssuerDN ProtectionAlgorithm (used for PkiProtection below) |
| PKIBody | Contains message-specific information ie. initialization request message | CertificateRequestMessage, which includes: SubjectDN IssuerDN SubjectPublicKey |
| PKIProtection | Contains bits that protect PKImessage (Specifically the iak/rv) |
Return values from CMPv2 client
Following table represents return values from CMPv2 client.
| Output value | Output type | Description |
|---|---|---|
| certificateChain | List <java.security.cert.X509Certificate> | Enrolled certificate with full certificate chain (all certificates of intermediate CAs), without root CA |
| trustedCerts | List <java.security.cert.X509Certificate> | All trusted certificates returned from CMPv2 server, including root CA |
Test code for running cmpv2 client against EJBCA server through unit test
...