Create Certificate REST Service

Use the Create Certificate REST Service to create a certificate and a public and private key pair. The newly created certificate is stored in an existing keystore.

Operation
POST
URL
https://host:port/SKLM/rest/v1/certificates

By default, Guardium Key Lifecycle Manager server listens to the secure port 9443 (HTTPS) for communication. During IBM Security Guardium Key Lifecycle Manager installation, you can modify this default port.

Request

Request Parameters
Parameter Description
host Specify the IP address or hostname of the IBM Security Guardium Key Lifecycle Manager server.
port Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.
Request Headers
Header name Value
Content-Type application/json
Accept application/json
Authorization SKLMAuth userAuthId=<authIdValue>
Accept-Language Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example, en or de.
Request body

JSON Object with the following specification:

JSON property name Description
type

Specify the certificate type. The supported certificate type is Self-signed.

The subject name and issuer name of the certificate are same.

alias

Specify a unique name for the certificate. The name is not case-sensitive. For example, if you specify MY Cert1, the value is stored as my cert1.

Do not use:
  • The value that begins with three alphabetic characters followed by 18 numeric characters, such as aaa000000000000000002. IBM Security Guardium Key Lifecycle Manager uses this format to generate a key group with symmetric keys.
  • Forward slash (/) or backslash (\) characters in the value.
cn

Specify a common name for the certificate that you want to create.

usage

Specify the target application usage with the following values:

3592
Specifies the 3592 device group.
DS8000®
Specifies the DS8000 device group.
GPFS
Specifies the IBM Spectrum® Scale (previously known as GPFS) device group.
PEER_TO_PEER
Specifies the PEER_TO_PEER device group.
GENERIC
Specifies a device family that uses the Key Management Interoperability Protocol to interact with IBM Security Guardium Key Lifecycle Manager. The GENERIC device group enables management of KMIP objects.
TLSCLIENT
Specifies the client-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the client device.
TLSSERVER
Specifies the server-side certificate that is used in secure communication by using Secure Socket Layer protocol.
userdevicegroup
Specifies a user-defined group that is based on a supported device family.
algorithm

Specify any of the following cryptographic algorithms that the certificate can use.

  • RSA
  • ECDSA
san

Specify the subject alternative name (SAN) containing the DNS names and IP addresses secured by this certificate, RFC822 email address, and URI.

Each attribute and its value must be in a new line. The syntax for each line is:

attribute : value

Note: Do not use the * special character. For example, you cannot specify, DNSName : *.example.com. Instead of using the * character, you can specify multiple hostnames in separate lines.
The following list shows the supported attributes:
DNSName
Specify the DNS names that are secured by this certificate. You can specify multiple domain names in separate lines.
IPAddressName
Specify the IP addresses that are secured by this certificate. You can specify multiple IP addresses in separate lines.
URIName
Specify the Uniform Resource Identifier.
RFC822Name
Specify the email address of the user to whom this certificate is issued.

For example,

"san": [
"DNSName : example.com",
"DNSName : another.domain.com",
"IPAddressName : 204.146.30.17",
"IPAddressName : 1001:0dc8:0:0:0:ff10:143e:57ab",
"URIName : http://example.com",
"RFC822Name : someone@example.com"
]
ou Specify the organizational unit name.
o Specify the organizational name.
country Specify the country name. Indicate the name as a two-letter country code.
validity

Specify the days during which the certificate is valid. The interval can range from 1 day to 9000 days.

fileName Required only when you create a certificate signing request. Specify the file name with extension (.csr) for the certificate signing request file.

Response

Response Headers
Header name Value and description
Status Code
200 OK
The request was successful. The response body contains the requested representation.
400 Bad Request
The authentication information was not provided in the correct format.
401 Unauthorized
The authentication credentials were missing or incorrect.
404 Not Found Error
The processing of the request fails.
500 Internal Server Error
The processing of the request fails because of an unexpected condition on the server.
Content-Type application/json
Content-Language Locale for the response message.
Success response body

JSON object with the following specification:

JSON property name Description
status Returns the status to indicate the certificate creation.
Error Response Body

JSON object with the following specification.

JSON property name Description
code Returns the application error code.
message Returns a message that describes the error.

Examples

Service request to create a certificate
POST https://localhost:port/SKLM/rest/v1/certificates
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{"type":"selfsigned","alias":"sklmCertificate","cn":"sklm","ou":"sales",
"o":"myCompanyName","usage":"3592","country":"US","validity":"999",
"algorithm": "RSA"  }
Success response
Status Code : 200 OK
Content-Language: en
{"Status":"Created a key pair and self-signed certificate: sklmCertificate"}
Service request to create a certificate with SAN
POST https://localhost:port/SKLM/rest/v1/certificates
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{
  "type": "self-signed",
  "alias": "cert2",
  "cn": "cert2",
  "usage": "3592",
  "algorithm": "RSA",
  "san": [
"DNSName : example.com",
"DNSName : another.domain.com",
"IPAddressName : 204.146.30.17",
"IPAddressName : 1001:0dc8:0:0:0:ff10:143e:57ab",
"URIName : http://example.com",
"RFC822Name : someone@example.com"
],
  "ou": "company unit",
  "o": "company",
  "country": "US",
  "validity": "450"
}
Success response
{
  "status": "CTGKM0503I Created a key pair and self-signed certificate: cert2 "
}
Incorrect usage example
OST https://localhost:port/SKLM/rest/v1/certificates
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{
  "type": "self-signed",
  "alias": "abc",
  "cn": "abc",
  "usage": "3592",
  "algorithm": "RSA",
  "validity": "450"
}
Error response
Status Code : 500 Internal Server Error
Content-Language: en
{
  "code": "CTGKM0519E",
  "message": "CTGKM0519E Operation fails because the key alias abc already exists. Specify valid alias, and retry the operation."
}