POST SSH/ExportSelfServicePrivateKey

Downloads a private key for manual installation. Used in cases where keyset rotation is paused and there is no agent on the device to handle keyset renewal.

Requirements

  • Permissions:  If the caller must have Owner permission of the key. The permissions automatically set on the created virtual device object. Otherwise, the caller must have Read permission and Private Key Read permission to the policy folder
  • Token scope:  SSH

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Input parameters

Name

Description

KeyId The identifier of key to download from Trust Protection Platform. To get the KeyId, call GET SSH/KeysetDetails.
Format (Optional) Format of the key material:

OpenSSH, PuTTY, SSH2, or Tectia.

(only for private keys). If format is not specified, the value is taken from the policy. If the policy format is not specified, the default is OpenSSH.
Passphrase (Optional) The passphrase to use to encrypt the key. To specify a passphrase , use your own company standards or follow the guidelines from the National Institute of Standards and Technology (NIST).

Returns

For valid requests, SSH/ExportSelfServicePrivateKey returns a HTTP 200 message and the following data in the message body:

Response description

Name

Description

KeyMaterial

The description of the key format.

Response

Returns Success and True when the private key exported successfully. Otherwise, returns the SSH SshWebResponse object.

Example: Export a private key via SSH

Request

POST https://tpp.venafi.example/vedsdkvedsdk/SSH/ExportSelfServicePrivateKey
Authorization:Bearer 4MyGeneratedBearerTknz==
{
   "KeyId":453,
   "Format":"SSH2",
   "Passphrase":"M!yPassphrase"
}

Response

HTTP/1.1 200 OK
{
   "KeyMaterial":"-----BEGIN RSA PRIVATE KEY-----\u000aMIIEog...
       -----END RSA PRIVATE KEY-----\u000a",
   "Response":{
      "Success":true
   }
}