GET Certificates/{guid}

Retrieves details and validation information about a certificate.

This API call confirms:

  • The target host information matches the Host, Fully Qualified Domain Name (FQDN), or common name with Policy tree information.
  • The communications protocol and connectivity with the target host.
  • The certificate is valid for the target host.

Venafi Trust Protection Platform has updated certificate association data retrieval processes that use the UI and websdk APIs. The update optimizes the retrieval process by fetching data from new tables, where certificate strings such as common name, organization, organization unit, locality, state, country, and subject alternative names are normalized in a case-insensitive name table. However, the casing of the first added string pattern will determine the value returned for any related query. For instance, if a certificate is imported with 'CN=MyCommonName' and another certificate with 'CN=mycommonname', the returned value for any query will be 'CN=MyCommonName'.

The update also reduces database size by removing most certificate secret store associations from the store_associations table. As a result, the secret store association REST APIs for certificates have been officially deprecated and will no longer work for many certificate-specific associations. Instead, use the certificates REST APIs, which are documented in the Certificates API documentation. These changes impact users performing an upgrade, and it is essential to ensure that all certificates are managed correctly after the upgrade.


  • Permissions: The caller must have View permission and Read permission.
  • Token scope:  Certificate


  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.


Input parameters




The Config GUID for the Certificate object. To get the GUID, call POST Config/DnToGuid. For example, {2b6b673f-2c55-46fc-935a-5836eae9b9db}.


The Certificates/{guid} API call returns the status of certificate validation. For example, to confirm the certificate status, you can review the Certificate Details,ProcessingDetails, RenewalDetails, or ValidationDetails.

For invalid requests, Certificates/{guid} returns:

  • HTTP 404 Not Found.
  • HTTP 400 Bad Request and .

For valid requests, this API returns a HTTP 200 message and the following data in the message body.


Response description



HTTP 200

For valid requests, this call returns a HTTP 200 message and the following data in the message body:

  • ApproverAn array of one or more users or groups who are certificate approvers. Approvers have an Active Directory (AD), Light Directory Access Protocol (LDAP), or local identity. The values are:
    • Prefix: AD+Friendly Name, LDAP+Friendly Name, or local. For example, AD+JHTEST.

    • Universal: The universal ID of the user or group identity.

  • CustomFields: Absent when there are no Custom Fields. An array of user-defined fields.

    • Name: The Custom Field name.
    • Type: One of the following data types: Datetime, Identity, List, or Text.
    • Value: The Custom Field value.
  • CertificateAuthorityDN: Absent when no CA template is associated with the certificate. The CA template that is required for certificate renewal.

  • CertificateDetails

  • Contact:  An array of one or more users or groups who receive event notifications. The events notify people about certificate expiration and validation failures: Contacts have an AD, LDAP, or local identity. The parameters are:
    • Prefix: AD+Friendly Name, LDAP+Friendly Name, or local. For example, AD+JHTEST.

    • Universal: The universal ID of the user or group identity.

  • CreatedBy: The object that initiated enrollment or provisioning changes. The default is Web SDK.
  • CreatedOn: The exact date and time when the Certificate object was created.

  • Disabled: This parameter appears only when the certificate is retired or disabled.

  • DN: The DN of the certificate.

  • Guid: The Certificate object GUID enclosed in curly braces. For example, {7c285e-2d04-44bb-837c-dbd95ec5f491}.

  • Consumers: Available only when the certificate is associated with at least one Application object. An array of all consumers of a Certificate object.

  • ManagementType

  • Name: The DN of the certificate.
  • ParentDN: The full path to the parent of the object in Trust Protection Platform.

  • ProcessingDetails

  • RenewalDetails:

  • SchemaClass:  The class name of the Certificate object: X.509 Certificate, X509 Code Signing Certificate,X.509 Device Certificate, X.509 Server Certificate, or X.509 User Certificate.

  • ValidationDetails:

HTTP 400

For invalid requests, this call returns a HTTP 400 BadRequest and the following data in the message body:

ErrorDetails: Returns a Bad Request for errors and the reason appears in the Error field of the message body.

HTTP 404 Not Found


Example: View the status of a certificate

To learn about a certificate status, you can review ProcessingDetails, RenewalDetails, or ValidationDetails.


GET https://test.venafi.example/vedsdk/certificates/
Authorization:Bearer 4MyGeneratedBearerTknz==


HTTP/1.1 200 OK
         "0:http:\/\/\/CertEnroll\/qavenafica.venqa.venafi .com_QA%20Venafi%20CA.crt",
            DC=venqa,DC=venafi,DC=com?cACertificate?base?objectClas s=certificationAuthority"
      "EnhancedKeyUsage":"Server Authentication (
            Smart Card Logon (",
      "Status":"Access denied due to access_denied_invalid_key."
   "SchemaClass":"X509 Server Certificate",