GET Certificates/{guid}

Retrieves details and validation information about a certificate.

This API call confirms:

  • The target host information matches the Host, Fully Qualified Domain Name (FQDN), or common name with Policy tree information.
  • The communications protocol and connectivity with the target host.
  • The certificate is valid for the target host.

Venafi Trust Protection Platform has updated certificate association data retrieval processes that use the UI and websdk APIs. The update optimizes the retrieval process by fetching data from new tables, where certificate strings such as common name, organization, organization unit, locality, state, country, and subject alternative names are normalized in a case-insensitive name table. However, the casing of the first added string pattern will determine the value returned for any related query. For instance, if a certificate is imported with 'CN=MyCommonName' and another certificate with 'CN=mycommonname', the returned value for any query will be 'CN=MyCommonName'.

The update also reduces database size by removing most certificate secret store associations from the store_associations table. As a result, the secret store association REST APIs for certificates have been officially deprecated and will no longer work for many certificate-specific associations. Instead, use the certificates REST APIs, which are documented in the Certificates API documentation. These changes impact users performing an upgrade, and it is essential to ensure that all certificates are managed correctly after the upgrade.

Requirements

  • Permissions: The caller must have View permission and Read permission.
  • Token scope:  Certificate

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Input parameters

Name

Description

{guid}

The Config GUID for the Certificate object. To get the GUID, call POST Config/DnToGuid. For example, {2b6b673f-2c55-46fc-935a-5836eae9b9db}.

Returns

The Certificates/{guid} API call returns the status of certificate validation. For example, to confirm the certificate status, you can review the Certificate Details,ProcessingDetails, RenewalDetails, or ValidationDetails.

For invalid requests, Certificates/{guid} returns:

  • HTTP 404 Not Found.
  • HTTP 400 Bad Request and .

For valid requests, this API returns a HTTP 200 message and the following data in the message body.

 

Response description

Name

Description

HTTP 200

For valid requests, this call returns a HTTP 200 message and the following data in the message body:

  • ApproverAn array of one or more users or groups who are certificate approvers. Approvers have an Active Directory (AD), Light Directory Access Protocol (LDAP), or local identity. The values are:

    • Prefix: AD+Friendly Name, LDAP+Friendly Name, or local. For example, AD+JHTEST.

    • Universal: The universal ID of the user or group identity.

  • CustomFields: Absent when there are no Custom Fields. An array of user-defined fields.

    • Name: The Custom Field name.
    • Type: One of the following data types: Datetime, Identity, List, or Text.
    • Value: The Custom Field value.

  • CertificateAuthorityDN: Absent when no CA template is associated with the certificate. The CA template that is required for certificate renewal.

  • CertificateDetails

    • AIACAIssuerURL: Available only when the certificate was issued by a well-configured CA. An array of Authority Information Access (AIA). Shows the CA issuer link and the CA's certificate details. May also include Online Certificate Status Protocol (OCSP) information about revocation.

    • AIAKeyIdentifier: Available only when the certificate was issued by a well-configured CA. The Authority Key Identifier, which is used when building the chain, should always match the Subject Key Identifier of the issuing CA's certificate.

    • C: The country.
    • CDPURI: The CRL Distribution Point (CDP) URI for certificate revocation lists (CRL).
    • CN: The Common name attribute of Subject Distinguished Name (DN).
    • EllipticCurve: Only available for ECC certificates. The key strength for encrypting public keys with the Elliptic Curve Cryptography (ECC) algorithm.
    • EnhancedKeyUsage: The PKI Server Authentication object identifier (OID).
    • Issuer: The CN, O, L, S, and C values from the certificate request.
    • KeyAlgorithm: The algorithm for the public key.
    • KeySize: Only available for RSA certificates. The bit size of the public key.
    • KeyUsage: A list of Key Usage extension values that describe the purpose of the public key.
    • L: The location. The value originates from the City field value from the certificate request.
    • O: The Organization value from the certificate request.
    • OU: An array of Organization Units or names.
    • PublicKeyHash: The public key hash string. Available only when the certificate has a private key.
    • RevocationDate: Available only when the certificate is revoked. The date the certificate will no longer be valid.

    • RevocationStatus: Available only when a revocation request occurred for the certificate or when the certificate is already revoked. The status of a revoked certificate: Complete, Confirmed, Pending or Failed. A Failed status occurs as a result of errors or a rejection of a workflow ticket.

    • S: The geographical State value from the certificate request.
    • SKIKeyIdentifier: The generated Subject Key Identifier (SKI)
    • Serial: The unique serial number that CA assigned to the certificate.
    • SignatureAlgorithm: The signature algorithm for signing the certificate.
    • SignatureAlgorithmOID: The Signature Object ID for signing the certificate.
    • StoreAdded: The Date Time stamp when the private key was added to the store.
    • Subject: The CN, O, L, S, and C values from the certificate request.
    • SubjectAltNameDNS: An array of Domain Name System (DNS) SANs.
    • SubjectAltNameEmail: An array of Email SANs. Based on RFC 822.
    • SubjectAltNameIPAddress: An array of IP Address SANs.
    • SubjectAltNameOtherNameUPN: An array of User Principal Name (UPN) SANs.
    • SubjectAltNameURI: An array of Uniform Resource Indicator (URI) SANs.
    • Template Major Version: Only available if there is a certificate template major version.
    • Template Minor Version: Only available if there is a certificate template version.
    • Template Name: Only available if a friendly template name that issued a certificate.
    • Template Oid: Only available if the certificate originated from a certificate template. The object ID (OID) of the template that issued a certificate.
    • Thumbprint: The SHA1 thumbprint hash of the certificate.
    • ValidFrom: The date when the certificate was issued.
    • ValidTo: The date when the certificate expires.
  • Contact:  An array of one or more users or groups who receive event notifications. The events notify people about certificate expiration and validation failures: Contacts have an AD, LDAP, or local identity. The parameters are:

    • Prefix: AD+Friendly Name, LDAP+Friendly Name, or local. For example, AD+JHTEST.

    • Universal: The universal ID of the user or group identity.

  • CreatedBy: The object that initiated enrollment or provisioning changes. The default is Web SDK.

  • CreatedOn: The exact date and time when the Certificate object was created.

  • Disabled: This parameter appears only when the certificate is retired or disabled.

  • DN: The DN of the certificate.

  • Guid: The Certificate object GUID enclosed in curly braces. For example, {7c285e-2d04-44bb-837c-dbd95ec5f491}.

  • Consumers: Available only when the certificate is associated with at least one Application object. An array of all consumers of a Certificate object.

  • ManagementType

    • Enrollment: Default. Issue a new certificate, renewed certificate, or send a key generation request to a CA for enrollment. Do not automatically provision the certificate.
    • Provisioning: Issue a new certificate, renewed certificate, or key generation request to a CA for enrollment. Automatically install or provision the certificate.
    • Monitoring: Allow Trust Protection Platform to monitor the certificate for expiration and renewal.
    • Unassigned: Certificates are not enrolled or monitored by Trust Protection Platform.
  • Name: The DN of the certificate.

  • ParentDN: The full path to the parent of the object in Trust Protection Platform.

  • ProcessingDetails

    Absent when the certificate is not currently processing in the Trust Protection Platform lifecycle:

    • InError: Appears only when there is a certificate processing error.
    • InProcess: Appears only during certificate processing.
    • Stage: The lifecycle processing stage number.
    • Status: The stage name that describes the certificate workflow status within the lifecycle.
    • TicketDN: The DN of the workflow ticket. For example, TicketDN:\\VED\\Workflow Tickets\\b56fe2d0-7da4-4b42-bc95-
      ca0a78a319c2      .

  • RenewalDetails:

    • City: The City field for the certificate Subject DN.
    • Country: The Country field for the certificate Subject DN.
    • Organization: The Organization field for the certificate Subject DN.
    • OrganizationUnit: An array of organization units or names.
    • State: The State field for the certificate Subject DN.
    • Subject: The Common Name field for the certificate Subject Distinguished Name (DN).
    • SubjectAltNameDNS: An array of Domain Name System (DNS) SANs.
    • SubjectAltNameEmail: An array of Email SANs. Based on RFC 822.
    • SubjectAltNameIPAddress: An array of IP Address SANs.
    • SubjectAltNameOtherNameUPN: An array of User Principal Name (UPN) SANs.
    • SubjectAltNameURI: An array of Uniform Resource Indicator (URI) SANs.
    • ValidFrom: Certificates that are valid on this date and beyond. To get the value, call POST SecretStore/LookupAllAssociationsbyVaultid.
    • ValidTo: All certificates that are valid up until this date. To get the value, call POST SecretStore/LookupAllAssociationsbyVaultid.

  • SchemaClass:  The class name of the Certificate object: X.509 Certificate, X509 Code Signing Certificate,X.509 Device Certificate, X.509 Server Certificate, or X.509 User Certificate.

  • ValidationDetails:

    If no validation occurred, only the LastValidationStateUpdate field appears. All other ValidationDetails fields are absent.

    • LastValidationStateUpdate: The date and time of the most recent certificate validation.
    • ValidationState: The combined result of all validations performed for the certificate. The values are , None, Failure, or Success.
HTTP 400

For invalid requests, this call returns a HTTP 400 BadRequest and the following data in the message body:

ErrorDetails: Returns a Bad Request for errors and the reason appears in the Error field of the message body.
HTTP 404 Not Found

 

Example: View the status of a certificate

To learn about a certificate status, you can review ProcessingDetails, RenewalDetails, or ValidationDetails.

Request

GET https://test.venafi.example/vedsdk/certificates/
{2b6b673f-2c55-46fc-935a-5836eae9b9db}
Authorization:Bearer 4MyGeneratedBearerTknz==

Response

HTTP/1.1 200 OK
{
   "Approver":[
      "local:{cd2e9fd1-8c0a-4a00-b6b3-e1de501e5b6e}"
   ],
   "CertificateDetails":{      
         "AIACAIssuerURL":[
         "0:http:\/\/qavenafica.venqa.venafi.com\/CertEnroll\/qavenafica.venqa.venafi .com_QA%20Venafi%20CA.crt",
         "1:ldap:\/\/\/CN=QA%20Venafi%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,
            DC=venqa,DC=venafi,DC=com?cACertificate?base?objectClas s=certificationAuthority"
      ],
      "AIAKeyIdentifier":"3CAC9CA6...",
      "CN":"MyCertificate",
      "EnhancedKeyUsage":"Server Authentication (1.3.6.1.5.5.7.3.1)
            Smart Card Logon (1.3.6.1.4.1.311.20.2.2)",
      "Issuer":"CN=hoho",
      "KeyAlgorithm":"RSA",
      "KeySize":2048,
      "PublicKeyHash":"4D93BA33FA4DBC2E6FCB0F1BCC57DFA795659EB4",
      "Serial":"01",
      "SignatureAlgorithm":"sha1RSA",
      "SignatureAlgorithmOID":"1.2.840.113549.1.1.5",
      "StoreAdded":"2017-12-13T17:51:54.4437541Z",
      "Subject":"CN=hoho",
      "Thumbprint":"95CD28BB7DB2067A8DCB0938DEFE0792F9E9BD32",
      "ValidFrom":"2017-11-23T14:25:00.0000000Z",
      "ValidTo":"2018-11-23T14:25:00.0000000Z"
   },
   "Contact":[
      "local:{cd2e9fd1-8c0a-4a00-b6b3-e1de501e5b6e}"
   ],
   "CreatedOn":"2017-12-13T17:49:28.8028346Z",
   "DN":"\\VED\\Policy\\Reputation\\digicert_test",
   "Guid":"{941e5574-e467-46c4-a735-e5daaa65832b}",
   "Name":"digicert_test",
   "ParentDn":"\\VED\\Policy\\Reputation",
   "ProcessingDetails":{
      "InError":true,
      "Stage":500,
      "Status":"Access denied due to access_denied_invalid_key."
   },
   "RenewalDetails":{
      "Subject":"hoho"
   },
   "SchemaClass":"X509 Server Certificate",
   "ValidationDetails":{
      "LastValidationStateUpdate":"2017-12-15T23:05:37.0000000Z",
      "ValidationState":"Failure"
   }
}