Resolution

Importing a certificate or an SSH key using the REST API requires two files.

The first file is the data file containing information in JSON format about the certificate or SSH key required by the API (i.e. name, type, usage, password). The second file is the certificate/key file containing the certificate/SSH key itself - for example "certificate.p12", "id_rsa.pem")

Data file

The required data fields in the data file depend on the type and usage of the certificate or SSH key being imported in ST. The types are "x509" for certificates or "ssh" for SSH keys. The types of usage for certificates are "private", "local", "partner", "login" or "trusted". For SSH keys they are "private", "local" or "login". The content of the certificate/SSH key data file would differ depending on the selected type.

Here is an example content of a data file for a local certificate. It will be imported into the Local Certificates tab in the Admin UI. Since this kind of usage in ST requires a password-protected certificate file to be imported, the JSON object in the data file requires the password field.

{
"name" : "certificate",
"type" : "x509",
"usage" : "local",
"overwrite" : true,
"password" : "12345678"
}

The overwrite field can be used to replace an existing certificate with the same name, type, and usage

Below is an example content of the certificate data file for a trusted CA certificate. It will be imported into the Trusted CAs tab of the Admin UI. You will also need the ST's Internal CA's password in the caPassword field in this case.

{
"name" : "trusted-ca-cert",
"type" : "x509",
"usage" : "trusted",
"caPassword" : "12345678"
}

To import an SSH private key into an account's private section, the following data file can be used as an example.

{
       "name": "ssh-private",
       "subject": "CN=test",
       "type": "ssh",
       "usage": "private",
       "validityPeriod": 365,
       "account": "test",
       "accessLevel": "PRIVATE",
       "caPassword": "12345678",
       "password": "12345678",
       "overwrite": false
}

The example below shows how to import an SSH public key into an account's login section.

{
       "name": "ssh-login",
       "subject": "CN=test",
       "type": "ssh",
       "usage": "login",
       "validityPeriod": 365,
       "account": "test",
       "accessLevel": "PRIVATE",
       "caPassword": "12345678",
       "overwrite": false
}

Certificate file

The certificate file is the file (i.e. certificate.p12 or trusted-ca-certificate.crt) containing the certificate itself. This file will be passed to the APi as-is, and assuming the file is prepared in the correct certificate format, no modifications of the certificate file itself will be needed before import.

SSH key file

As with the certificate file above, the SSH key is the file containing either the public or the private SSH key. Again, no modifications of the SSH key file are necessary before import.

Importing with cURL

An example curl command to import a certificate using the ST API.

curl -k -u ADMINUSER:ADMINPASS -X POST --header "Content-Type: multipart/mixed" --header "Accept: application/json" -F "myPartName1=@DATA_FILE.TXT;type=application/json" -F "myPartName2=@CERTIFICATE_OR_KEY_FILE;type=application/octet-stream" https://HOSTNAME:ADMINPORT/api/v2.0/certificates

In the above command replace:

ADMINUSER:ADMINPASS with the proper admin credentials

HOSTNAME with the hostname or IP of SecureTransport

ADMINPORT with the port, on which the ST's admin service runs on

DATA_FILE.TXT is the data file

CERTIFICATE_OR_KEY_FILE is the certificate/SSH key file

Programmatic REST API 2.0 usage

Sample raw request for importing a Login certificate, illustrating the multipart/mixed structure

POST https://sthost.org.int:444/api/v2.0/certificates HTTP/1.1
accept: application/json
Content-Type: multipart/mixed; boundary=BOUNDARY 
Authorization: Basic admin:admin
Referer: referer

--BOUNDARY
Content-Type: application/json

{
      "account": "accountname",
      "type": "x509",
      "usage": "login"
}
--BOUNDARY
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="cert.crt"

-----BEGIN CERTIFICATE-----
(cert body here)
-----END CERTIFICATE-----

--BOUNDARY--