Create System Certificate REST Service

Use the Create System Certificate REST Service to create a self-signed server certificate or a certificate signing request.

Operation
POST
URL
https://host:port/SKLM/rest/v1/system/certificates

By default, Guardium® Key Lifecycle Manager server listens to the secure port 9443 (HTTPS) for communication. During IBM® Security Guardium Key Lifecycle Manager installation, you can modify this default port.

Request

Request Parameters
Parameter Description
host Specify the IP address or hostname of the IBM Security Guardium Key Lifecycle Manager server.
port Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.
Request Headers
Header name Value
Content-Type application/json
Accept application/json
Authorization SKLMAuth userAuthId=<authIdValue>
Accept-Language Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example, en or de.
Request body

JSON object with the following specification:

JSON property name Description
type Specify the type of the certificate.
Possible values:
  • self-signed: Specify self-signed when you want to create a self-signed certificate.
  • certreq: Specify certreq when you want to create a certificate signing request file to send to a third-party certificate authority.
The subject name and issuer name of the certificate are same.
alias Specify a unique name for the certificate. The alias is not case-sensitive.
cn Specify a common name for the certificate.
algorithm Specify the cryptographic algorithm for the certificate.
Possible values:
  • RSA
  • ECDSA
san

Specify the subject alternative name (SAN) containing domain names and IP addresses secured by this certificate, RFC822, and URI.

Each attribute and its value must be in a new line. The syntax for each line is:

attribute : value

The supported attributes are: DNSName, IPAddressName, URIName, RFC822Name
Note: The * special character is not allowed. For example, you cannot specify, DNSName : *.example.com. Instead of using the * character, you can specify multiple hostname in a separate line.

For example,

DNSName : example.com
DNSName : another.domain.com
IPAddressName : 204.146.30.17
URIName : http://example.com
RFC822Name : someone@example.com
ou

Specify the organizational unit name.
o

Specify the organizational name.
country

Specify the two-letter country code. For example, US for United States.
state

Specify the state name.
locality

Specify the locality.
usageSubtype Specify certificate usage type based on its purpose.
Possible values:
  • SERVERGUI_TLS: Specify this option to use the certificate to access GUI, Swagger UI, REST APIs, and for REST-based key serving.
  • KEYSERVING_TLS: Specify this option to use the certificate for key serving over IPP and KMIP.
  • EKMF_TLS: Specify this option to use the certificate for establishing secure communication between IBM Security Guardium Key Lifecycle Manager and EKMF Web.
validity Specify the days during which the certificate is valid. The interval can range from 1 day to 9000 days.
fileName Required only when the type property is set to certreq. Specify the output file name with the .csrextension in which the certificate request content is written.

Response

Response Headers
Header name Value and description
Status Code
200 OK
The request was successful. The response body contains the requested representation.
400 Bad Request
The authentication information was not provided in the correct format.
401 Unauthorized
The authentication credentials were missing or incorrect.
404 Not Found Error
The processing of the request fails.
500 Internal Server Error
The processing of the request fails because of an unexpected condition on the server.
Content-Type application/json
Content-Language Locale for the response message.
Success response body

JSON object with the following specification:

JSON property name Description
code Returns the code that is specified by the status property.
status Returns a status that indicates whether the certificate creation task is successful.
Error Response Body

JSON object with the following specification.

JSON property name Description
code Returns the application error code.
message Returns a message that describes the error.

Examples

Service request to create a self-signed certificate
POST https://localhost:port/SKLM/rest/v1/system/certificates
{
  "type": "self-signed",
  "alias": "server_cert",
  "cn": "server_cert",
  "algorithm": "ECDSA",
  "ou": "abc",
  "o": "abc",
  "country": "US",
  "state": "abc",
  "locality": "abc",
  "usageSubtype": "SERVERGUI_TLS",
  "validity": "100"
}
}
Success response
{
 "status": "CTGKM0503I Created a key pair and self-signed certificate: server_cert "
}