
This assumes you have already obtained a Bearer Token using curl. The following curl command can be used to get the encoded certificate data of a certificate. The following formats can be used:
- Base64
- Base64 (PKCS #8)
- DER
- PKCS #7
- PKCS #12
curl
--insecure
--request POST
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--data '{ "CertificateDN": "\\VED\\Policy\\foo\\bar\\foo.example.com", "Format": "Base64", "IncludeChain": true, "IncludePrivateKey": false, "Password": "itsasecret" }'
--url https://tpp.example.com/vedsdk/Certificates/Retrieve
Or like this.
curl
--insecure
--request POST
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--data @foo.json
--url https://tpp.example.com/vedsdk/Certificates/Retrieve
Or like this, using the GET method.
- If using the Base64 or DER formats, use --header "Content-Type: application/json"
- If using the PKCS formats, use --header "Content-Type: application/x-pkcs12" and redirect the output to a file, such as foo.pfx
curl
--insecure
--request GET
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--url "https://tpp.example.com/vedsdk/Certificates/Retrieve?CertificateDN=%5C%5CVED%5C%5CPolicy%5C%5Cfoo%5C%5Cbar%5C%5Cfoo.example.com&Format=Base64&IncludeChain=true&IncludePrivateKey=false&Password=itsasecret"
If Installation failed is returned, this means that last attempt to install the certificate in Venafi failed.
{
"Stage":800,
"Status":"Installation failed"
}
Something like this should be returned.
{
"CertificateData":"MIIF9zCCBN+gAwIBAgITOgAAAO4. . . .",
"Filename":"foo.example.com",
"Format":"Base64"
}
Base64
If the Base64 format was used, the base64 command with the --decode flag command can be used.
echo "MIIF9zCCBN+gAwIBAgITOgAAAO4. . . ." | base64 --decode
Which should return something like this.
-----BEGIN CERTIFICATE-----
MIIF9zCCBN+gAwIBAgITOgAAAO4w3LdZxHQvJAABAAAA7jANBgkqhkiG9w0BAQsF
ADBKMRMwEQYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPyLGQBGRYLVGhyaXZl
bnREZXYxFjAUBgNVBAMTDVRocml2ZW50RGV2Q0EwHhcNMjEwNjE2MTAz . . .
-----END CERTIFICATE-----
The output can be redirected to a file.
echo "MIIF9zCCBN+gAwIBAgITOgAAAO4. . . ." | base64 --decode > foo.cer
OpenSSL can be used to return the certificate data.
openssl x509 -in foo.cer -text -noout
PKCS
If the PKCS format was used, the output should have been redirected to a file, such as foo.p12 or foo.pfx.
curl
--insecure
--request GET
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--url "https://tpp.example.com/vedsdk/Certificates/Retrieve?CertificateDN=%5C%5CVED%5C%5CPolicy%5C%5Cfoo%5C%5Cbar%5C%5Cfoo.example.com&Format=Base64&IncludeChain=true&IncludePrivateKey=false&Password=itsasecret"
--output foo.pfx
In this scenario, OpenSSL can be used to display the P12 or PFX data.
openssl pkcs12 -in foo.pfx -info -passin pass:itsasecret
Did you find this article helpful?
If so, consider buying me a coffee over at