This assumes you have already obtained a Bearer Token using the Venafi REST API.
AVOID TROUBLE
In order to install a certificate, you will need to have the security:manage scope when obtaining a Bearer Token using the Venafi REST API.
Let's say you have a certificate named foo.example.com in Venafi. You will almost always want to first use the REST API to list the details of the foo.example.com certificate. In this example, 2b23f743-5152-4366-a2f9-f7ab2249df1e is the GUID of the foo.example.com certificate.
curl
--insecure
--request GET
--header "Authorization: Bearer abc123"
--url https://tpp.example.com/vedsdk/certificates/2b23f743-5152-4366-a2f9-f7ab2249df1e
Something like this should be returned. Make note of the following:
- Ensure Management Type is Provisioning
- Make note of the approvers
- Make note of the consumers
{
'Contact' => [
'John Doe'
],
'CreatedBy' => [
'Aperture'
],
'ManagementType' => 'Provisioning',
'RenewalDetails' => {
'Country' => 'US',
'Subject' => 'foo.example.com',
'KeySize' => 2048,
'OrganizationalUnit' => [
'Information Technology'
],
'City' => 'Appleton',
'State' => 'WI',
'Organization' => 'Acme'
},
'SchemaClass' => 'X509 Server Certificate',
'ParentDn' => '\\VED\\Policy\\foo\\bar',
'ManagedBy' => 'Aperture',
'Guid' => '{2b23f743-5152-4366-a2f9-f7ab2249df1e}',
'CreatedOn' => '2021-06-16T10:44:08.6881441Z',
'Origin' => 'Aperture',
'Approver' => [
'local:{19ff170f-24b6-4d18-b8c3-ff394fef2773}'
],
'DN' => '\\VED\\Policy\\foo\\bar\\foo.example.com',
'ProcessingDetails' => {
'InProcess' => 1,
'Status' => 'Queued for renewal'
},
'CertificateDetails' => {
'S' => 'WI',
'KeyUsage' => 'KeyEncipherment, DigitalSignature',
'KeySize' => 2048,
'EnhancedKeyUsage' => 'Client Authentication(1.3.6.1.5.5.7.3.2),Server Authentication(1.3.6.1.5.5.7.3.1)',
'Serial' => '3A000000FB23C28B20CCBA47310001000000FB',
'Thumbprint' => '60270E2B209828820BE26DA48DE94FF96453F875',
'SubjectAltNameDNS' => [
'foo.example.com'
],
'OU' => [
'Information Technology'
],
'C' => 'US',
'CDPURI' => '',
'L' => 'Appleton',
'CN' => 'foo.example.com',
'KeyAlgorithm' => 'RSA',
'TemplateMinorVersion' => '4',
'O' => 'Acme',
'Subject' => 'CN=foo.example.com, OU=Information Technology, O=Acme, L=Appleton, S=WI, C=US',
'StoreAdded' => '2021-06-18T12:30:40.1679793Z',
'ValidTo' => '2022-06-18T12:20:40.0000000Z',
'SKIKeyIdentifier' => 'A4FEA09911A379C9567048F18B53FD7F7EBEE135',
'SignatureAlgorithmOID' => '1.2.840.113549.1.1.11',
'AIACAIssuerURL' => [
''
],
'AIAKeyIdentifier' => 'C0AAD11E2E32B5FEBAA4A47BED2DD21A0EB50C5C',
'ValidFrom' => '2021-06-18T12:20:40.0000000Z',
'SignatureAlgorithm' => 'sha256RSA',
'TemplateName' => 'WebServer-Annual',
'TemplateMajorVersion' => '100',
'TemplateOID' => '1.3.6.1.4.1.311.21.8.15834779.3475046.12272809.5410922.5223003.179.6107418.4478281',
'Issuer' => 'CN=fooCA, DC=example, DC=com',
'PublicKeyHash' => 'BC6E5FC22D4E69969C27EDB1B55EAE88E6416CC8'
},
'ValidationDetails' => {
'ValidationState' => 'Failure',
'LastValidationStateUpdate' => '2021-06-18T11:00:16.0000000Z'
},
'CertificateAuthorityDN' => '\\VED\\Policy\\Certificate Authorities\\fooCA\\myfoo',
'Consumers' => [
'\\VED\\Policy\\foo\\server001.example.com\\foo.example.com'
],
'Description' => 'foo.example.com',
'Name' => 'foo.example.com'
};
Here is how you would schedule the certificate for installation, replacing CertificateDN with the Certificate DN's listed in the prior command.
curl
--insecure
--request POST
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--url https://tpp.example.com/vedsdk/certificates/push"
--data '{ "CertificateDN":"\\VED\\Policy\\foo\\server001.example.com\\foo.example.com", "PushToAll": "true" }'
If the certificate is successfully scheduled for installation, something like this should be returned.
{"Success":true}
Be aware that the approvers will need to approve the installation. I don't think the approval can be done using the REST API. The approvals can be done using Aperture (the web GUI).
Did you find this article helpful?
If so, consider buying me a coffee over at 