Layer 7 API Management

Expand all | Collapse all

Update private key certificate chain using REST APIs

Jump to Best Answer
  • 1.  Update private key certificate chain using REST APIs

    Posted 05-18-2018 12:08 PM

    I am trying to automate creating private key, generate CSR and update private key certificate chain using REST APIs provided in CA API Gateway v9.3. I am able to create private key and generate CSR, but I can't find payload template to update private key certificate chain. Is there any xml message format I can use to update certificate chain?

     



  • 2.  Re: Update private key certificate chain using REST APIs
    Best Answer

    Posted 05-22-2018 02:33 PM

    I think this will work, test and update as required. Private key updates requires gateway restarts

     

    PUT https://<Gateway:Port>/restman/1.0/privateKeys/{id}

     

    <l7:PrivateKey alias="YOUR KEY ALIAS" xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:CertificateChain>
    <l7:CertificateData>
    <l7:IssuerName>CN=YOUR CN</l7:IssuerName>
    <l7:SerialNumber>CERT SERIAL NUMBER</l7:SerialNumber>
    <l7:SubjectName>CERT SUBJEC TNAME</l7:SubjectName>
    <l7:Encoded>
    BASE64 ENCODED CERTIFICATE DATA
    </l7:Encoded>
    </l7:CertificateData>
    </l7:CertificateChain>
    </l7:PrivateKey>


  • 3.  Re: Update private key certificate chain using REST APIs

    Posted 05-22-2018 03:03 PM

    Thank you Anand! It helps. 



  • 4.  Re: Update private key certificate chain using REST APIs

    Posted 04-03-2019 02:08 PM

    We are trying to do the same thing, but i still have some questions

     

    When using the policy manager, we can put 3 certificates in the replace certificate chain box at the same time.
    This is required to get the entire certificate chain updated.

     

    Using the RestMan, can we also do this?

    Additionally, can we omit Issuer, Serial and SubjectName fields, are they optional?
    So basically i am hoping we can only include the l7:Encoded field? I If not we would have to decode the certificate to get these fields from the base64 input, which is a hassle.

     

    Do we have to strip the ---BEGIN CERTIFICATE --- stuff that a pem comes with?
    And do we have to split it up into three l7:CertificateData/l7:Encoded segments, or can we put all 3 in one encoded element and will the gateway split it up?

     


    ----- BEGIN CERTIFICATE ---
    certificate
    ----- END CERTIFICATE ---
    ----- BEGIN CERTIFICATE ---
    intermediate ca
    ----- END CERTIFICATE ---

    ----- BEGIN CERTIFICATE ---
    root ca
    ----- END CERTIFICATE ---