GET Certificates/Retrieve/{vaultid}
Returns a certificate based on the Vault ID and Certificate Distinguished Name (DN). The requested certificate returns the appropriate mime-type and content‑disposition to allow HTTP clients to properly save the file.
Requirements
- Permissions: The caller must have Read permission and Private Key Read permission to the Certificate object.
- Token scope: Certificate:Manage
Headers
-
Content type: Content-Type:application/json.
- Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.
Parameters
Name |
Description |
---|---|
Format |
(Optional) The certificate format for the return data. Specify one of the following case sensitive values and use the exact spacing:
|
FriendlyName |
The label or alias to use for Base64, JKS, or PKCS #12 formats. Required for the JKS format. |
IncludeChain |
(Optional) When the Format is Base64, PKCS #7, PKCS #12, or JKS, you can include the parent or root chain in the return data.
|
IncludePrivateKey (Optional) |
(Optional) When the Format is Base64, PKCS #7, PKCS #12, or JKS, you can include the parent or root chain in the return data.
|
KeystorePassword |
If the Format is JKS, you must set this value. Use the same requirements as required for Password. |
Passwords |
If the IncludePrivateKey value is true, this value must be set. Create a strong password by using a
|
RootFirstOrder (Optional) |
In the REST response, the order of the certificate chain of trust. Use when IncludeChain is true.
|
VaultId |
Required. The Secret Store location of the certificate. To get the VaultId for the current certificate version, call POST Config/Read. For a previous version of the certificate, call GET Certificates/{guid}/PreviousVersions. The Vault ID may be expressed with or without curly braces{}. For example, {376}. |
Returns
Name |
Description |
---|---|
HTTP 200 |
For valid requests, GET Certificates/Retrieve{vaultid} returns a HTTP 200 message and certificates based on the Format in the request. If the certificate is currently in enrollment, provisioning, or in error, the response contains only the current Status and processing Stage of the Certificate object. |
HTTP 400 |
For invalid requests, the method fails to return the certificate data and optional private key information. GET Certificates/Retrieve{vaultid} returns a HTTP 400 BadRequest and Error for missing parameters or one of the following errors:
|
Example: Get the certificate and private key in the Base64 format
Request
GET https://tpp.venafi.example/vedsdk/Certificates/Retrieve/198? IncludePrivateKey=true&Format=Base64&Password=MynewPassw0rd
Response
HTTP/1.1 200 OK -----BEGIN CERTIFICATE----- MIIDa...== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F407567710825A6A YloY... -----END RSA PRIVATE KEY-----