POST Certificates/CheckPolicy
Returns the policy and a compliance assessment for a Certificate Signing Request (CSR).
You can also call this method to determine the status of the private key prior to enrollment. Certificates/CheckPolicy:
- Determines whether the private key is already in use.
- Determines whether the policy folder allows a certificate to reuse the same private key.
Requirements
- Permissions: The caller must have Read permission and Private Key Read permission to the Certificate object.
- Token scope: Certificate:Manage
Headers
-
Content type: Content-Type:application/json.
- Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.
Parameters
Name |
Description |
---|---|
PolicyDN | The Distinguished Name (DN) of the policy folder. |
PKCS10 | (Optional) The CSR to use to verify its contents with the Trust Protection Platform policy. Each new line requires a new line escape character (/n). |
Returns
The response contains CSR compliance details, the Enrollable result, any errors, and policy information from the Policy DN. The response also includes information about errors or a certificate that is currently in the enrollment process. For example, this collapsed set of return values shows you basic information from the Certificates/CheckPolicy response:
Certificates/CheckPolicy:
- Returns a HTTP 200 message and the message body contains data in the Details and Policy fields.
- Returns a HTTP 400 Bad Request for errors and the reason appears in the Error field of the message body.
- Returns a HTTP 403 Unauthorized for requests that lack authorization from Trust Protection Platform.
Name |
Description |
---|---|
HTTP 200 |
For valid requests, this call returns a HTTP 200 message and the following data in the message body: CSR: Information about the Certificate Signing Request (CSR):
|
|
Error: Null unless there is an error. If an error occurs, the CsrDetails and Policy values are null and one of the corresponding error messages accompany the HTTP 400 Bad Request:
|
|
Policy: The settings from the Policy DN. You can compare these settings to the CSRDetails:
|
HTTP 400 |
For invalid requests, this call returns a HTTP 400 BadRequest and the following data in the message body:
|
Example: Determine CSR compliance with a Trust Protection Platform policy
Request
POST https://tpp.venafi.example/vedsdk/Certificates/CheckPolicy Authorization:Bearer 4MyGeneratedBearerTknz== { "PolicyDN":"\\VED\\Policy\\Import", "PKCS10":"-----BEGIN CERTIFICATE REQUEST-----\nMIIFPjC... -----END CERTIFICATE REQUEST-----\n" }
Response
HTTP/1.1 200 OK { "CSR":{ "Details":{ "City":{ "Compliant":true, "Value":"El Granada" }, "CommonName":{ "Compliant":true, "Value":"silvana_a37fe.venafi.test" }, "Country":{ "Compliant":true, "Value":"US" }, "KeyAlgorithm":{ "Compliant":true, "Value":"RSA" }, "KeySize":{ "Compliant":true, "Value":2048 }, "Organization":{ "Compliant":true, "Value":"Venafi" }, "OrganizationalUnit":{ "Compliant":true, "Values":[ "Auto" ] }, "PrivateKeyReused":{ "Compliant":true, "Value":true }, "State":{ "Compliant":true, "Value":"CA" }, "SubjAltNameDns":{ "Compliant":true, "Values":[ ] }, "SubjAltNameEmail":{ "Compliant":true, "Values":[ ] }, "SubjAltNameIp":{ "Compliant":true, "Values":[ ] }, "SubjAltNameUpn":{ "Compliant":true, "Values":[ ] }, "SubjAltNameUri":{ "Compliant":true, "Values":[ ] } }, "Enrollable":false }, "Error":null, "Policy":{ "CertificateAuthority":{ "Locked":false, "Value":null }, "CsrGeneration":{ "Locked":false, "Value":"ServiceGenerated" }, "KeyGeneration":{ "Locked":false, "Value":"Central" }, "KeyPair":{ "KeyAlgorithm":{ "Locked":false, "Value":"RSA" }, "KeySize":{ "Locked":false, "Value":2048 } }, "ManagementType":{ "Locked":false, "Value":"Monitoring" }, "PrivateKeyReuseAllowed":true, "SubjAltNameDnsAllowed":true, "SubjAltNameEmailAllowed":true, "SubjAltNameIpAllowed":true, "SubjAltNameUpnAllowed":true, "SubjAltNameUriAllowed":true, "Subject":{ "City":{ "Locked":false, "Value":"SLC" }, "Country":{ "Locked":false, "Value":"US" }, "Organization":{ "Locked":false, "Value":"Venafi" }, "OrganizationalUnit":{ "Locked":false, "Values":[ "Venafi Test" ] }, "State":{ "Locked":false, "Value":"Utah" } }, "UniqueSubjectEnforced":false, "WhitelistedDomains":[ ], "WildcardsAllowed":true } }