wiki:OnlineCA

Version 2 (modified by pjkersha, 5 years ago) (diff)

--

Online Certificate Authority Web Service

Get Certificate

The get certificate operation is used to make a request for a new user credential.

Inputs

Request type HTTP POST over HTTPS
Attribute Format Description
certificate_request PEM in HTTP message body Certificate signing request for user certificate being requested
username HTTP Basic Auth header User identity to associate with certificate to be issued. The username will be set as the CN field of the certificate subject name
password HTTP Basic Auth header associated password.
realm HTTP Basic Auth header

Outputs

HTTP Response code Description
200 Success – PEM encoded X.509 certificate returned in response
401 client not authorised - client certificate not present, or client certificate not verified, or certificate subject name in accepted retrievers
405 Error with format of client request e.g. error parsing certificate signing request
500 Server side error

Get Trust Roots

This is a call to bootstrap trust in the online CA service. Calling it retrieves the trust roots needed for the client to trust this service over SSL (HTTPS). Trust roots include CA certificates and OpenSSL signing policy files. The trust roots are returned as the serialised content of a trust root directory. This should be restored on the client side to enable correct verification of the peer (the online CA service) for subsequent calls.

Inputs

Request type HTTP GET over HTTPS
Attribute Format Description
None - -

No SSL client authentication is required on the part of the server.

Outputs

HTTP Response code Description
200 Success – a list of trust roots is returned in the response. It has the following format:
Each item is delimited by a newline character (‘\n’)
Items are key/value pairs
Each value is base 64 encoded
The first key, TRUSTED_CERTS is set to a value containing a list of comma-separated filenames of the trust roots files. The files include CA certificates and OpenSSL signing policy files.
Subsequent keys are prefixed with the prefix FILEDATA_. The suffix is the file name that should be written out.
The value is set to the file content
500 Server side error