Venafi (Certificate Management) - Dissociate a certificate with an Installation using REST API

by
Jeremy Canfield |
Updated: August 28 2023
| Venafi (Certificate Management) articles
This assumes you have already obtained a Bearer Token using curl. The following curl command can be used to view a certificates details. In this example, the details of the certificate with GUID 2b23f743-5152-4366-a2f9-f7ab2249df1e will be retrieved.
curl
--insecure
--request GET
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--url https://tpp.example.com/vedsdk/certificates/2b23f743-5152-4366-a2f9-f7ab2249df1e
Something like this should be returned. Notice in this example that one of the Consumers is \\VED\\Policy\\foo\\server1.example.com\\Apache-foo.example.com and that the status is Installation failed. This might be a scenario where it makes sense to dissociate an installation.
{
'Contact' => [
'John Doe'
],
'CreatedBy' => [
'Aperture'
],
'ManagementType' => 'Provisioning',
'RenewalDetails' => {
'Country' => 'US',
'Subject' => 'foo.example.com',
'KeySize' => 2048,
'OrganizationalUnit' => [
'Information Technology'
],
'City' => 'Appleton',
'State' => 'WI',
'Organization' => 'Acme'
},
'SchemaClass' => 'X509 Server Certificate',
'ParentDn' => '\\VED\\Policy\\foo\\bar',
'ManagedBy' => 'Aperture',
'Guid' => '{2b23f743-5152-4366-a2f9-f7ab2249df1e}',
'CreatedOn' => '2021-06-16T10:44:08.6881441Z',
'Origin' => 'Aperture',
'Approver' => [
'local:{19ff170f-24b6-4d18-b8c3-ff394fef2773}'
],
'DN' => '\\VED\\Policy\\foo\\bar\\foo.example.com',
'ProcessingDetails' => {
'InError' => 1,
'Status' => 'Installation failed',
'Stage' => 800
},
'CertificateDetails' => {
'S' => 'WI',
'KeyUsage' => 'KeyEncipherment, DigitalSignature',
'KeySize' => 2048,
'EnhancedKeyUsage' => 'Client Authentication(1.3.6.1.5.5.7.3.2),Server Authentication(1.3.6.1.5.5.7.3.1)',
'Serial' => '3A000000FB23C28B20CCBA47310001000000FB',
'Thumbprint' => '60270E2B209828820BE26DA48DE94FF96453F875',
'SubjectAltNameDNS' => [
'foo.example.com'
],
'OU' => [
'Information Technology'
],
'C' => 'US',
'CDPURI' => '',
'L' => 'Appleton',
'CN' => 'foo.example.com',
'KeyAlgorithm' => 'RSA',
'TemplateMinorVersion' => '4',
'O' => 'Acme',
'Subject' => 'CN=foo.example.com, OU=Information Technology, O=Acme, L=Appleton, S=WI, C=US',
'StoreAdded' => '2021-06-18T12:30:40.1679793Z',
'ValidTo' => '2022-06-18T12:20:40.0000000Z',
'SKIKeyIdentifier' => 'A4FEA09911A379C9567048F18B53FD7F7EBEE135',
'SignatureAlgorithmOID' => '1.2.840.113549.1.1.11',
'AIACAIssuerURL' => [
''
],
'AIAKeyIdentifier' => 'C0AAD11E2E32B5FEBAA4A47BED2DD21A0EB50C5C',
'ValidFrom' => '2021-06-18T12:20:40.0000000Z',
'SignatureAlgorithm' => 'sha256RSA',
'TemplateName' => 'WebServer-Annual',
'TemplateMajorVersion' => '100',
'TemplateOID' => '1.3.6.1.4.1.311.21.8.15834779.3475046.12272809.5410922.5223003.179.6107418.4478281',
'Issuer' => 'CN=fooCA, DC=example, DC=com',
'PublicKeyHash' => 'BC6E5FC22D4E69969C27EDB1B55EAE88E6416CC8'
},
'ValidationDetails' => {
'ValidationState' => 'Failure',
'LastValidationStateUpdate' => '2021-06-18T11:00:16.0000000Z'
},
'CertificateAuthorityDN' => '\\VED\\Policy\\Certificate Authorities\\fooCA\\myfoo',
'Consumers' => [
'\\VED\\Policy\\foo\\server001.example.com\\Apache-foo.example.com'
],
'Description' => 'foo.example.com',
'Name' => 'foo.example.com'
};
The following command can be used to remove (dissociate) the Consumer (Installation).
curl
--insecure
--request POST
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--url https://tpp.example.com/vedsdk/certificates/dissociate
--data '{ "CertificateDN": "\\VED\\Policy\\foo\\bar\\foo.example.com", "ApplicationDN": [ "\\VED\\Policy\\foo\\server001.example.com\\Apache-foo.example.com" ], "DeleteOrphans": true }'
Or like this.
curl
--insecure
--request POST
--header "Authorization: Bearer abc123"
--header "Content-Type: application/json"
--url https://tpp.example.com/vedsdk/certificates/dissociate
--data @foo.json
If the dissociate is successful, the following should be returned.
{"Success":true}
Did you find this article helpful?
If so, consider buying me a coffee over at