POST SSH/AddHostPrivateKey
Creates and installs a new private key on a host device. If the host already has a keyset, a new keyset generates. The key algorithm and length are taken from the SSH policy of the device folder. If the Algorithm is empty, the default is RSA. If the Key Size is empty, the Length is 2048.
SSH/AddHostPrivateKey API returns immediately after key is generated and inserted into the Trust Protection Platform database. It does not wait until the key is actually provisioned on specified device (which can take time depending on configured Agent schedule). To track the progress of key operations, call POST SSH/KeyDetails.
Requirements
- Permissions:
- Owner permission of any private key in this keyset.
- Read permission to the device for any key in this keyset.
- Read permission to the private key for the policy where the self-service key is present.
- Token scope: SSH:Manage
Headers
-
Content type: Content-Type:application/json.
- Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.
Parameters
Name |
Description |
---|---|
DeviceGuid |
The GUID that identifies a device. Depending on your environment, the GUID may be expressed with or without curly braces {}. For example, {3d6b61d-1c71-4603-883f-25b8c2ceecdd}. To get the GUID, use POST SSH/KeysetDetails or the UI. For example:
|
Filepath |
The installation path of the key on the device. |
Format |
(Optional) Omit this parameter if the private key should use the policy setting. The key format: OpenSSH, PuTTY, SSH2, or Tectia. |
PolicyDN |
The Distinguished Name (DN) of the Policy folder where the new SSH keyset will be created. Omit this parameter the SSH keyset does not go in a Policy folder. By default, SSH keysets are not created in policies.
For more information, see |
PolicyPath |
|
Username |
Name on user specified device that will own the key. |
Returns
Name |
Description |
---|---|
KeyId |
Identifier of newly created key. |
Keysetid |
The identifier for a set of public and private keys. The value is hexadecimal. If there is no private key password, the format is EncryptedPrivateKey-[unique number]. For example, EncryptedPrivateKey-3. |
Response |
The SSH SshWebResponse object with result of the operation. If the keyset was generated outside of Trust Protection Platform, error code 6 occurs. For more information, see SSH web error codes. |
Example: Provision a private key to a device
Request
POST https://tpp.venafi.example/vedsdk/AddHostPrivateKey Authorization:Bearer 4MyGeneratedBearerTknz== { "DeviceGuid":"{9063f994-bcf6-4053-b521-94a917123845}", "Filepath":"/etc/ssh/id_rsa", "Format":"SSH2", "PolicyDN":"//VED//Policy//Keyset", "Username":"user" }
Response
HTTP/1.1 200 OK { "KeyId":7117, "KeysetId":"2DF312EF35D6D7E1672FF2BCC5CF220030042771", "Response":{ "Success":true } }