Bootstrap FreeKB - Venafi (Certificate Management) - Get encoded certificate data using REST API
Venafi (Certificate Management) - Get encoded certificate data using REST API
Updated:   |  Venafi (Certificate Management) articles

This assumes you have already obtained a Bearer Token using curl. The following curl command can be used to get the encoded certificate data of a certificate. The following formats can be used:

  • Base64
  • Base64 (PKCS #8)
  • DER
  • PKCS #7
  • PKCS #12
curl
--insecure
--request POST
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--data '{ "CertificateDN": "\\VED\\Policy\\foo\\bar\\foo.example.com", "Format": "Base64", "IncludeChain": true, "IncludePrivateKey": false, "Password": "itsasecret" }'
--url https://tpp.example.com/vedsdk/Certificates/Retrieve

 

Or like this.

curl
--insecure
--request POST
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--data @foo.json
--url https://tpp.example.com/vedsdk/Certificates/Retrieve

 

Or like this, using the GET method.

  • If using the Base64 or DER formats, use --header "Content-Type: application/json"
  • If using the PKCS formats, use --header "Content-Type: application/x-pkcs12" and redirect the output to a file, such as foo.pfx
curl
--insecure
--request GET
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--url "https://tpp.example.com/vedsdk/Certificates/Retrieve?CertificateDN=%5C%5CVED%5C%5CPolicy%5C%5Cfoo%5C%5Cbar%5C%5Cfoo.example.com&Format=Base64&IncludeChain=true&IncludePrivateKey=false&Password=itsasecret"

 

If Installation failed is returned, this means that last attempt to install the certificate in Venafi failed. 

{
 "Stage":800,
 "Status":"Installation failed"
}

 

Something like this should be returned.

{
  "CertificateData":"MIIF9zCCBN+gAwIBAgITOgAAAO4. . . .",
  "Filename":"foo.example.com",
  "Format":"Base64"
}

 

Base64

If the Base64 format was used, the base64 command with the --decode flag command can be used.

echo "MIIF9zCCBN+gAwIBAgITOgAAAO4. . . ." | base64 --decode

 

Which should return something like this.

-----BEGIN CERTIFICATE-----
MIIF9zCCBN+gAwIBAgITOgAAAO4w3LdZxHQvJAABAAAA7jANBgkqhkiG9w0BAQsF
ADBKMRMwEQYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPyLGQBGRYLVGhyaXZl
bnREZXYxFjAUBgNVBAMTDVRocml2ZW50RGV2Q0EwHhcNMjEwNjE2MTAz . . .
-----END CERTIFICATE-----

 

The output can be redirected to a file.

echo "MIIF9zCCBN+gAwIBAgITOgAAAO4. . . ." | base64 --decode > foo.cer

 

OpenSSL can be used to return the certificate data.

openssl x509 -in foo.cer -text -noout

 

PKCS

If the PKCS format was used, the output should have been redirected to a file, such as foo.p12 or foo.pfx.

curl
--insecure
--request GET
--header "Authorization: Bearer abc123"
--header "Content-Type: application/x-pkcs12"
--url "https://tpp.example.com/vedsdk/Certificates/Retrieve?CertificateDN=%5C%5CVED%5C%5CPolicy%5C%5Cfoo%5C%5Cbar%5C%5Cfoo.example.com&Format=Base64&IncludeChain=true&IncludePrivateKey=false&Password=itsasecret"
--output foo.pfx

 

In this scenario, OpenSSL can be used to display the P12 or PFX data.

openssl pkcs12 -in foo.pfx -info -passin pass:itsasecret

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


October 11 2023 by FrankB
For your PKCS example; should your content type be: "Content-Type: application/x-pkcs12"

October 13 2023 by Jeremy (moderator)
Nice catch Frank! I got the example updated to have application/x-pkcs12

Add a Comment


Please enter 30bbb6 in the box below so that we can be sure you are a human.