Creating Azure Certificates
Use the post /v1/cckm/azure/certificates API to create Azure certificates.
Specify the following details.
Name for the certificate.
Name or ID of the key vault where the certificate will be created.
Syntax
curl -k '<IP>/api/v1/cckm/azure/certificates' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "cert_name": "<cert_name>",\n "key_vault": "<key_vault>",\n "azure_param": {<azure_params>}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| azure_param | JSON | Azure certificate parameters. Refer to Azure Parameters for details. |
| cert_name | string | Name for the Azure certificate. Certificate names can only contain alphanumeric characters and hyphens (-). |
| key_vault | string | Name or ID of the Azure vault where the certificate will be created. Vaults stored in Azure Managed HSM pools are not supported. |
Azure Parameters
| Parameter | Type | Description |
|---|---|---|
| policy | JSON | Policy for the certificate. A certificate policy includes information such as: • Issuer of the X.509 component of the certificate • Properties of the key backing the certificate • Properties of the X.509 component of a certificate • Attributes of the certificate • Actions that will be performed by the key vault over the lifetime of the certificate • Secret properties. |
| tags | JSON | An optional parameter to add additional information to the certificate. The value must be specified as the key-value pair. Refer to the following rules on tag values. |
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ ) ( { } > < ? + - / [ ] ^ & + = | ~ ` ; . ' _ **
CCKM does not allow colon (:) and percent (%) special characters in tag values.
Issuer Details
| Parameter | Type | Description |
|---|---|---|
| name | string | Name of the referenced issuer object or reserved names. Set to Self for a self-signed certificate. |
| cert_transparency | boolean | Whether the certificates generated under this policy should be published to certificate transparency logs. Not valid for self-signed certificates. |
| cty | string | Type of the certificate supported by the provider. For example, OV-SSL or EV-SSL. Not valid for self-signed certificates. |
Key Properties
| Parameter | Type | Description |
|---|---|---|
| kty | string | The type of key to create. The options are: • EC: "Soft" Elliptic Curve key. • EC-HSM: "Hard" Elliptic Curve key (only for premium key vaults). • RSA: "Soft" RSA key. • RSA-HSM: "Hard" RSA key (only for premium key vaults). |
| crv | string | Elliptical curve name for the key. The options are: • P-256 • P-384 • P-521 • SECP256K1 |
| exportable | boolean | Whether the private key can be exported. Not valid for RSA-HSM and EC-HSM keys. |
| key_size | integer | Size for the RSA and RSA-HSM keys. The options are: •2048 •3072 •4096 |
| reuse_key | boolean | Whether the same key pair will be used on certificate renewal. |
X.509 Properties
| Parameter | Type | Description |
|---|---|---|
| subject | string | The subject name. Should be a valid X.509 distinguished name. |
| ekus | array of strings | Enhanced key usage. For example, "1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2". |
| key_usage | array of strings | Allowed key usages. The options are: •CRLSign •DataEncipherment •DecipherOnly •DigitalSignature •EncipherOnly •KeyAgreement •KeyCertSign •KeyEncipherment •NonRepudiation |
| sans | JSON | Subject Alternative Names (SANs). Specify dns_names, emails, and User Principal Names (upns). |
| validity_months | integer | Duration (in months) for which the certificate is valid. |
Certificate Attributes
| Parameter | Type | Description |
|---|---|---|
| enabled | boolean | Whether the certificate is enabled (true/false). |
| exp | string | Expiration date for the certificate in Unix Epoch time format. For example, the corresponding epoch time for September 9, 2022, 5:52:20 AM is 1662702740. |
| nbf | string | Activation date for the certificate in Unix Epoch time format. For example, the corresponding epoch time for September 9, 2022, 5:52:20 AM is 1662702740. The certificate cannot be activated before this date. |
Lifetime Actions
| Parameter | Type | Description |
|---|---|---|
| action | JSON | The action to perform on the certificate. Specify action_type, which can be AutoRenew or EmailContacts. |
| trigger | JSON | The condition that will trigger the action. Specify either of the following: • days_before_expiry: Days before expiry to attempt renewal. Value should be between 1 and validity_in_months multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27).• lifetime_percentage: Percentage of lifetime at which to trigger the action. Value should be between 1 and 99. |
lifetime_percentage and days_before_expiry are mutually exclusive - specify either.
Secret Properties
| Parameter | Type | Description |
|---|---|---|
| contentType | string | Content type of the secret backing the certificate. The options are: • application/x-pkcs12 • application/x-pem-file |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/azure/certificates' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiYTIyYmI0NC03YWU1LTRiNTEtYTliOS0zMTVhOWU3M2YwMjIiLCJzdWIiOiJsb2NhbHwwNGNmNTgwNi05MDMwLTQ2NTAtYTg0Zi0xMTYyNjNiOTc1NzQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iLCJLZXkgVXNlcnMiLCJVc2VyIEFkbWlucyJdLCJzaWQiOiI0ZWIzMmFiOS1hMzEwLTQ3ZjYtODQ2NC1mNjQ2NWNmMjJkYTMiLCJ6b25lX2lkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0sImp3dGlkIjoiZTkyN2RjNWItNTQxYS00NmQyLWJmMDEtM2ZhMzQ3MmUyODQxIiwiaWF0IjoxNjUxODE2MjgyLCJleHAiOjE2NTE4MTY1ODJ9.CGGiI2Pf98QPXeZNuGO7vsUBePaVd-qVam17HJcFu-I' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "cert_name": "azure_secret",\n "key_vault": "9ae64517-7249-42a9-bf86-9252add02ef9",\n "azure_param": {\n "value": "test-certificate-value",\n "attributes": {\n "enabled": true\n}\n }\n}' --compressed
Example Response
{
"id": "4e6cdba1-a87b-4b52-9933-b61c0bf9e6aa",
"uri": "kylo:kylo:cckm:azure-cert:test-cert-995fad5f-9f26-47d6-a537-6c980ff6bfcf",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-04-13T02:05:26.859118132Z",
"updatedAt": "2022-04-13T02:05:26.859118132Z",
"synced_at": "2022-04-13T02:05:21Z",
"cloud_name": "AzureCloud",
"key_vault": "vault-name::260ecbe7-777b-4d3c-84ea-887620498863",
"key_vault_id": "84340213-a515-43d1-acc4-e2eaa6efbe94",
"region": "northcentralus",
"tenant": "781b4642-6e0e-4794-94df-6b0878ab0317",
"azure_created_at": "2022-04-13T02:05:21Z",
"azure_expire_at": "2023-04-13T02:05:21Z",
"azure_updated_at": "2022-04-13T02:05:21Z",
"backup": "4f408a63211b4f62b74bf611a13e7fbc1c6df4bc01864be3a2058823c7fc81e7",
"backup_at": "2022-04-13T02:05:26.843615617Z",
"cert_name": "test-cert",
"cert_soft_deleted_in_azure": false,
"deleted": false,
"gone": false,
"cert_material_origin": "native",
"cert_source": "native",
"operation": "",
"soft_delete_enabled": true,
"status": "AVAILABLE",
"version": "077969ab4e4b43c8805eabee58228fd2",
"azure_param": {
"cer": "MIID3jCCAsagAwIBAgIQP7++Dp34TaSAWcrnj9SoZzANBgkqhkiG9w0BAQsFADBsMRcwFQYDVQQDEw53d3cuY29udG9zby5jbzETMBEGA1UECxMKQ29udG9zbyBIUjEQMA4GA1UEChMHQ29udG9zbzEQMA4GA1UEBxMHUmVkbW9uZDELMAkGA1UECBMCV0ExCzAJBgNVBAYTAlVTMB4XDTIyMDQxMzAxNTUyMVoXDTIzMDQxMzAyMDUyMVowbDEXMBUGA1UEAxMOd3d3LmNvbnRvc28uY28xEzARBgNVBAsTCkNvbnRvc28gSFIxEDAOBgNVBAoTB0NvbnRvc28xEDAOBgNVBAcTB1JlZG1vbmQxCzAJBgNVBAgTAldBMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM9vldyArb/RhYt5tjheV3LhKExzlFXU0uDFgHeO/UAZm5KYYRPeoy4RCxtPFqdJs+vgbnPdW/t9ume/Fuek03pNVsSUmZLMSwx0jmuueP3WuPoSBfk5NQwVvN8tFtMJ44qkYc9SvPIAMpf81hWZJXI/d2445SVrGn0CC9JROlwsewMxlpyK5jaD0OoTPGmaa+OY9zF+yv3/+Mq1s+3b9wDks8Ml6/VJuqw7N0fgLwdaAcc2VnQc13PKVkFXauk+UfnSWes7LtyDypeEPo11Hn08Wh7PmF2yuWpB4ii1MfyDy3p4n+JqVgzlffgXYlBryNkSRxzyTCEN62ZW0uhAHgECAwEAAaN8MHowDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFE29V+lwbHNxH6Wf2CeH0wNM5+5HMB0GA1UdDgQWBBRNvVfpcGxzcR+ln9gnh9MDTOfuRzANBgkqhkiG9w0BAQsFAAOCAQEASvOmWOvjinVo5VBDzJ21FNk69UzmSwdZV48kFT13AS9AFdL28Xmi0PU97QnA9eMEdqsd0H88XP5F2MipRr1bzy9cyrnzKThByWTeDiNdxxnPvZLoPN+MndK3ZuSgFNJWNBQUUZuDuXk+3AFRzsTn5ysjc0exTqDx5FCOeJk3JFYtrPb8K0Mj6Wh/iin+cH86FTZCl9ANyf/ezX/wrbnchS0S0rSZBrHpQtpz1h+9pqagLLARX0BXYKTmae8H+tDnNOBDre5DWKWikBZtk8XQAGwmMd47UXzg6JVVQTCwCycoqmDGvMqdzZE7at13M0HiujwcCzMHWxmOz/tOFcITFw==",
"kid": "https://vault-name.vault.azure.net/keys/test-cert/077969ab4e4b43c8805eabee58228fd2",
"sid": "https://vault-name.vault.azure.net/secrets/test-cert/077969ab4e4b43c8805eabee58228fd2",
"x5t": "Xq1g2L-c5aOUB33QPCaiNQUFdAg",
"lifetime_actions": [
{
"trigger": {
"lifetime_percentage": 80
},
"action": {
"action_type": "AutoRenew"
}
}
],
"crv": "",
"exportable": true,
"key_size": 2048,
"kty": "RSA",
"content_type": "application/x-pkcs12",
"ekus": [
"1.3.6.1.5.5.7.3.1",
"1.3.6.1.5.5.7.3.2"
],
"key_usage": [
"digitalSignature",
"keyEncipherment"
],
"subject": "C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.co",
"validity_months": 12,
"issuer_name": "Self",
"attributes": {
"created": 1649815521,
"enabled": true,
"exp": 1681351521,
"nbf": 1649814921,
"recoverable_days": 7,
"recovery_level": "CustomizedRecoverable+Purgeable",
"updated": 1649815521
}
}
}
The sample output shows that a certificate is created in the Azure vault.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
