POST SSH/ExportSelfServicePrivateKey
Downloads a private key for manual installation. Used in cases where keyset rotation is paused and there is no agent on the device to handle keyset renewal.
Requirements
- Permissions: If the caller must have Owner permission of the key. The permissions automatically set on the created virtual device object. Otherwise, the caller must have Read permission and Private Key Read permission to the policy folder
- Token scope: SSH
Headers
-
Content type: Content-Type:application/json.
- Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.
Parameters
Name |
Description |
---|---|
KeyId | The identifier of key to download from Trust Protection Platform. To get the KeyId, call GET SSH/KeysetDetails. |
Format | (Optional) Format of the key material:
OpenSSH, PuTTY, SSH2, or Tectia. (only for private keys). If format is not specified, the value is taken from the policy. If the policy format is not specified, the default is OpenSSH. |
Passphrase | (Optional) The passphrase to use to encrypt the key. To specify a passphrase , use your own company standards or follow the guidelines from the National Institute of Standards and Technology (NIST). |
Returns
For valid requests, SSH/ExportSelfServicePrivateKey returns a HTTP 200 message and the following data in the message body:
Name |
Description |
---|---|
KeyMaterial |
The description of the key format.
|
Response |
Returns Success and True when the private key exported successfully. Otherwise, returns the SSH SshWebResponse object. |
Example: Export a private key via SSH
Request
POST https://tpp.venafi.example/vedsdkvedsdk/SSH/ExportSelfServicePrivateKey Authorization:Bearer 4MyGeneratedBearerTknz== { "KeyId":453, "Format":"SSH2", "Passphrase":"M!yPassphrase" }
Response
HTTP/1.1 200 OK { "KeyMaterial":"-----BEGIN RSA PRIVATE KEY-----\u000aMIIEog... -----END RSA PRIVATE KEY-----\u000a", "Response":{ "Success":true } }